Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
  • 5 commits
  • 19 files changed
  • 0 commit comments
  • 2 contributors
View
2  datas/cache/templates/index.html
@@ -0,0 +1,2 @@
+<h1>Forbidden</h1>
+<!-- No directory listing available -->
View
2  datas/config-sample.php
@@ -27,6 +27,8 @@
// ========================
$cfg['mainurl'] = 'http://localhost';
+$cfg['site_id'] = 'Some unique string specific to your site';
+$cfg['secret_key'] = 'Secret key used for authentication, make it unique and keep in secret!';
// ========================
// Default skin and default language
View
7 plugins/passrecover/passrecover.php
@@ -116,7 +116,12 @@ function sed_randompass()
$validationkey = md5(microtime());
$newpass = sed_randompass();
- $sql = sed_sql_query("UPDATE $db_users SET user_password='".md5($newpass)."', user_lostpass='$validationkey' WHERE user_id='$ruserid'");
+ $ruserpass = array();
+ $ruserpass['user_passsalt'] = sed_unique(16);
+ $ruserpass['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruserpass['user_password'] = sed_hash($newpass, $ruserpass['user_passsalt'], $ruserpass['user_passfunc']);
+ $ruserpass['user_lostpass'] = $validationkey;
+ sed_sql_update($db_users, "user_id=$ruserid", $ruserpass);
$rsubject = $cfg['maintitle']." - ".$L['plu_title'];
$rbody = $L['Hi']." ".$rusername.",\n\n".$L['plu_email2']."\n\n".$newpass. "\n\n".$L['aut_contactadmin'];
View
1  plugins/tags/lang/tags.en.lang.php
@@ -41,6 +41,7 @@
$L['cfg_order'] = array('Cloud output order &mdash; alphabetical, descending frequency or random');
$L['cfg_pages'] = array('Enable tags in pages');
$L['cfg_perpage'] = array('Tags displayed per page in standalone cloud, 0 is all at once');
+$L['cfg_sort'] = array('Default sorting column for tag search results');
$L['cfg_title'] = array('Capitalize first letters of keywords');
$L['cfg_translit'] = array('Transliterate tags in URLs');
View
1  plugins/tags/lang/tags.ru.lang.php
@@ -47,6 +47,7 @@
$L['cfg_order'] = array('Сортировка облака тегов','по алфавиту, по убыванию частотности, случайным образом');
$L['cfg_pages'] = array('Включить теги для страниц');
$L['cfg_perpage'] = array('Тегов на странице в облаке всех тегов, 0 - все теги сразу');
+$L['cfg_sort'] = array('Сортировка по умолчанию в результатах поиска по тегам');
$L['cfg_title'] = array('Первые буквы тегов прописными');
$L['cfg_translit'] = array('Транслитерировать теги в URL-адресах');
View
4 plugins/tags/tags.php
@@ -39,6 +39,10 @@
// Sorting order
$o = sed_import('order', 'P', 'ALP');
+if (empty($o))
+{
+ $o = mb_strtolower($cfg['plugin']['tags']['sort']);
+}
$tag_order = '';
$tag_orders = array('Title', 'Date', 'Category');
foreach ($tag_orders as $order)
View
7 plugins/tags/tags.setup.php
@@ -4,10 +4,10 @@
Code=tags
Name=Tags
Description=Basic Tags implementation
-Version=0.0.6
-Date=2009-jun-28
+Version=0.6.24
+Date=2012-07-30
Author=Trustmaster
-Copyright=All rights reserved (c) 2008-2009, Vladimir Sibirov.
+Copyright=All rights reserved (c) 2008-2012, Vladimir Sibirov.
Notes=BSD License.
SQL=
Auth_guests=R
@@ -29,6 +29,7 @@
more=10:radio::1:Show 'All tags' link in tag clouds
perpage=11:string::0:Tags displayed per page in standalone cloud, 0 is all at once
index=12:select:pages,forums,all:pages:Index page tag cloud area
+sort=31:select:ID,Title,Date,Category:ID:Default sorting column for tag search results
[END_SED_EXTPLUGIN_CONFIG]
==================== */
View
6 sql/cotonti-install.sql
@@ -320,6 +320,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('core', 'main', '20', 'shieldzhammer', 2, '25', '', ''),
('core', 'main', '30', 'jquery', 3, '1', '', ''),
('core', 'main', '31', 'turnajax', 3, '1', '1', ''),
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
('core', 'parser', '10', 'parser_custom', 3, '0', '', ''),
('core', 'parser', '10', 'parser_cache', 3, '1', '', ''),
('core', 'parser', '10', 'parser_disable', 3, '0', '', ''),
@@ -493,6 +494,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('plug', 'tags', '9', 'lim_index', 1, '0', '', ' Limit of tags in a cloud displayed on index, 0 is unlimited'),
('plug', 'tags', '10', 'more', 3, '1', '', 'Show All Tags link in tag clouds'),
('plug', 'tags', '12', 'index', 2, 'pages', 'pages,forums,all', 'Index page tag cloud area'),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results'),
('core', 'comments', '03', 'expand_comments', 3, '1', '', ''),
('core', 'ratings', '02', 'ratings_allowchange', 3, '0', '', ''),
('core', 'comments', '04', 'maxcommentsperpage', 2, '15', '', ''),
@@ -977,7 +979,9 @@ CREATE TABLE `sed_users` (
`user_id` int(11) unsigned NOT NULL auto_increment,
`user_banexpire` int(11) default '0',
`user_name` varchar(100) collate utf8_unicode_ci NOT NULL,
- `user_password` varchar(32) collate utf8_unicode_ci NOT NULL default '',
+ `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '',
+ `user_passfunc` VARCHAR(32) NOT NULL default 'sha256',
+ `user_passsalt` VARCHAR(16) NOT NULL default '',
`user_maingrp` int(11) NOT NULL default '4',
`user_country` char(2) collate utf8_unicode_ci NOT NULL default '',
`user_text` text collate utf8_unicode_ci NOT NULL,
View
9 sql/patch-0.6.23-0.6.24.sql
@@ -0,0 +1,9 @@
+ALTER TABLE `sed_users` MODIFY `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '';
+ALTER TABLE `sed_users` ADD `user_passfunc` VARCHAR(32) NOT NULL default 'sha256';
+ALTER TABLE `sed_users` ADD `user_passsalt` VARCHAR(16) NOT NULL default '';
+
+UPDATE `sed_users` SET `user_passfunc` = 'md5';
+
+INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_name`, `config_type`, `config_value`, `config_default`, `config_text`) VALUES
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results');
View
10 system/common.php
@@ -51,7 +51,7 @@ function sed_disable_mqgpc(&$value, $key)
}
// Mbstring options
-mb_internal_encoding($cfg['charset']);
+mb_internal_encoding('UTF-8');
/* ======== Extra settings (the other presets are in functions.php) ======== */
@@ -226,14 +226,14 @@ function sed_disable_mqgpc(&$value, $key)
{
$u = empty($_SESSION[$site_id]) ? explode(':', base64_decode($_COOKIE[$site_id])) : explode(':', base64_decode($_SESSION[$site_id]));
$u_id = (int) sed_import($u[0], 'D', 'INT');
- $u_sid = sed_sql_prep($u[1]);
+ $u_sid = $u[1];
if ($u_id > 0)
{
- $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id AND user_sid = '$u_sid'");
-
+ $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id");
if ($row = sed_sql_fetcharray($sql))
{
- if ($row['user_maingrp'] > 3
+ if ($u_sid == hash_hmac('sha1', $row['user_sid'], $cfg['secret_key'])
+ && $row['user_maingrp'] > 3
&& ($cfg['ipcheck'] == FALSE || $row['user_lastip'] == $usr['ip'])
&& $row['user_sidtime'] + $cfg['cookielifetime'] > $sys['now_offset'])
{
View
2  system/core/admin/admin.hits.inc.php
@@ -37,7 +37,7 @@
if($f == 'year' || $f == 'month')
{
$adminpath[] = array(sed_url('admin', 'm=hits&f='.$f.'&v='.$v), "(".$v.")");
- $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");
+ $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '".sed_sql_prep($v)."%' ORDER BY stat_name DESC");
while($row = sed_sql_fetcharray($sql))
{
View
14 system/core/users/users.auth.inc.php
@@ -34,7 +34,7 @@
/* ===== */
$rusername = sed_import('rusername','P','TXT', 100, TRUE);
- $rpassword = sed_import('rpassword','P','PSW', 16, TRUE);
+ $rpassword = sed_import('rpassword','P','TXT', 16, TRUE);
$rcookiettl = sed_import('rcookiettl', 'P', 'INT');
$rremember = sed_import('rremember', 'P', 'BOL');
if(empty($rremember) && $rcookiettl > 0 || $cfg['forcerememberme'])
@@ -46,6 +46,15 @@
$login_param = preg_match('#^[\w\p{L}][\.\w\p{L}\-]*@[\w\p{L}\.\-]+\.[\w\p{L}]+$#u', $rusername) ?
'user_email' : 'user_name';
+ // Load salt and algo from db
+ $sql = sed_sql_query("SELECT user_passsalt, user_passfunc FROM $db_users WHERE $login_param='".sed_sql_prep($rusername)."'");
+ if (sed_sql_numrows($sql) == 1)
+ {
+ $hash_params = sed_sql_fetchassoc($sql);
+ $rmdpass = sed_hash($rpassword, $hash_params['user_passsalt'], $hash_params['user_passfunc']);
+ unset($hash_params);
+ }
+
/**
* Sets user selection criteria for authentication. Override this string in your plugin
* hooking into users.auth.check.query to provide other authentication methods.
@@ -108,6 +117,9 @@
sed_sql_query("UPDATE $db_users SET user_lastip='{$usr['ip']}', user_lastlog = {$sys['now_offset']}, user_logcount = user_logcount + 1, user_token = '$token' $update_sid WHERE user_id={$row['user_id']}");
+ // Hash the sid once more so it can't be faked even if you know user_sid
+ $sid = hash_hmac('sha1', $sid, $cfg['secret_key']);
+
$u = base64_encode($ruserid.':'.$sid);
if($rremember)
View
19 system/core/users/users.edit.inc.php
@@ -110,7 +110,7 @@
$ruserextrafields[] = $import;
$urr['user_'.$row[ 'field_name']] = $import;
}
-
+
if ($ruserdelete)
{
if ($sys['user_istopadmin'] && !$sys['edited_istopadmin'])
@@ -138,7 +138,18 @@
if (empty($error_string))
{
- $ruserpassword = (mb_strlen($rusernewpass)>0) ? md5($rusernewpass) : $urr['user_password'];
+ if (mb_strlen($rusernewpass) > 0)
+ {
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rusernewpass, $ruser['user_passsalt'], $ruser['user_passfunc']);
+ }
+ else
+ {
+ $ruser['user_password'] = $urr['user_password'];
+ $ruser['user_passsalt'] = $urr['user_passsalt'];
+ $ruser['user_passfunc'] = $urr['user_passfunc'];
+ }
if ($rusername=='')
{ $rusername = $urr['user_name']; }
@@ -192,7 +203,9 @@
$ssql = "UPDATE $db_users SET
user_banexpire='$rbanexpire',
user_name='".sed_sql_prep($rusername)."',
- user_password='".sed_sql_prep($ruserpassword)."',
+ user_password='".sed_sql_prep($ruser['user_password'])."',
+ user_passsalt='".sed_sql_prep($ruser['user_passsalt'])."',
+ user_passfunc='".sed_sql_prep($ruser['user_passfunc'])."',
user_country='".sed_sql_prep($rusercountry)."',
user_text='".sed_sql_prep($rusertext)."',
user_avatar='".sed_sql_prep($ruseravatar)."',
View
4 system/core/users/users.logout.inc.php
@@ -41,11 +41,11 @@
sed_sql_query("UPDATE $db_users SET user_lastvisit = {$sys['now_offset']} WHERE user_id = " . $usr['id']);
sed_sql_query("DELETE FROM $db_online WHERE online_ip='{$usr['ip']}'");
- $all = cot_import('all', 'G', 'BOL');
+ $all = sed_import('all', 'G', 'BOL');
if ($all)
{
// Log out on all devices
- $db->update($db_users, array('user_sid' => ''), "user_id = " . $usr['id']);
+ sed_sql_query("UPDATE $db_users SET user_sid = '' WHERE user_id = " . $usr['id']);
}
sed_uriredir_redirect(empty($redirect) ? sed_url('index') : base64_decode($redirect));
View
21 system/core/users/users.register.inc.php
@@ -112,7 +112,10 @@
else
{ $defgroup = ($cfg['regnoactivation']) ? 4 : 2; }
- $mdpass = md5($rpassword1);
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rpassword1, $ruser['user_passsalt'], $ruser['user_passfunc']);
+
if ($rmonth=='x' || $rday=='x' || $ryear=='x' || empty($rmonth) || empty($rday) || empty($ryear))
{
$ruserbirthdate = '0000-00-00';
@@ -144,6 +147,8 @@
$ssql = "INSERT into $db_users
(user_name,
user_password,
+ user_passsalt,
+ user_passfunc,
user_maingrp,
user_country,
user_location,
@@ -169,7 +174,9 @@
user_lastip)
VALUES
('".sed_sql_prep($rusername)."',
- '$mdpass',
+ '".sed_sql_prep($ruser['user_password'])."',
+ '".sed_sql_prep($ruser['user_passsalt'])."',
+ '".sed_sql_prep($ruser['user_passfunc'])."',
".(int)$defgroup.",
'".sed_sql_prep($rcountry)."',
'".sed_sql_prep($rlocation)."',
@@ -250,7 +257,7 @@
if ($row = sed_sql_fetcharray($sql))
{
-
+
if ($row['user_maingrp'] == 2)
{
@@ -307,10 +314,10 @@
$timezonelist = array ('-12', '-11', '-10', '-09', '-08', '-07', '-06', '-05', '-04', '-03', '-03.5', '-02', '-01', '+00', '+01', '+02', '+03', '+03.5', '+04', '+04.5', '+05', '+05.5', '+06', '+07', '+08', '+09', '+09.5', '+10', '+11', '+12');
$form_timezone = "<select name=\"rtimezone\" size=\"1\">";
-foreach($timezonelist as $x)
-{
- $f = (float) $x;
- $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
+foreach($timezonelist as $x)
+{
+ $f = (float) $x;
+ $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
$form_timezone .= "<option value=\"$f\" $selected>GMT ".$x."</option>";
}
$form_timezone .= "</select> ".$usr['gmttime']." / ".date($cfg['dateformat'], $sys['now_offset'] + $usr['timezone']*3600)." ".$usr['timetext'];
View
1  system/functions.admin.php
@@ -261,6 +261,7 @@ function sed_loadconfigmap()
$result[] = array ('main', '29', 'redirbkonlogout', 3, '0', ''); // N-0.6.1
$result[] = array ('main', '30', 'jquery', 3, '1', '');
$result[] = array ('main', '31', 'turnajax', 3, '1', '');
+ $result[] = array ('main', '42', 'hashfunc', 1, 'sha256', '');
$result[] = array ('parser', '10', 'parser_cache', 3, '1', '');
$result[] = array ('parser', '10', 'parser_custom', 3, '0', '');
$result[] = array ('parser', '10', 'parser_disable', 3, '0', '');
View
90 system/functions.php
@@ -3,7 +3,7 @@
* Main function library.
*
* @package Cotonti
- * @version 0.6.23
+ * @version 0.6.24
* @author Neocrome, Cotonti Team
* @copyright Copyright (c) 2008-2011 Cotonti Team
* @license BSD License
@@ -37,8 +37,8 @@
//unset ($warnings, $moremetas, $morejavascript, $error_string, $sed_cat, $sed_smilies, $sed_acc, $sed_catacc, $sed_rights, $sed_config, $sql_config, $sed_usersonline, $sed_plugins, $sed_groups, $rsedition, $rseditiop, $rseditios, $tcount, $qcount)
$cfg['svnrevision'] = '$Rev$'; //DO NOT MODIFY this is set by SVN automatically
-$cfg['version'] = '0.6.23';
-$cfg['dbversion'] = '0.6.23';
+$cfg['version'] = '0.6.24';
+$cfg['dbversion'] = '0.6.24';
if($cfg['customfuncs'])
{
@@ -56,6 +56,11 @@
}
/**
+ * Registry for hash functions
+ */
+$sed_hash_funcs = array('md5', 'sha1', 'sha256');
+
+/**
* Strips everything but alphanumeric, hyphens and underscores
*
* @param string $text Input
@@ -1169,7 +1174,7 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
isset($L[$rowname.'_'.$row['field_name'].'_title']) ? $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $L[$rowname.'_'.$row['field_name'].'_title']) : $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $row['field_description']);
$t1 = $tpl_tag.'_'.strtoupper($row['field_name']);
$t2 = $row['field_html'];
- switch($row['field_type'])
+ switch($row['field_type'])
{
case "input":
$t2 = str_replace('<input ','<input name="'.$importrowname.$row['field_name'].'" ', $t2);
@@ -1206,10 +1211,10 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
{
$var_text = (!empty($L[$rowname.'_'.$row['field_name'].'_'.$var])) ? $L[$rowname.'_'.$row['field_name'].'_'.$var] : $var;
$sel = ($var == $data[$rowname.'_'.$row['field_name']]) ? ' checked="checked"' : '';
- $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
+ $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
}
$t2 = $buttons;
- break;
+ break;
}
$return_arr[$t1] = $t2;
}
@@ -2073,6 +2078,75 @@ function sed_check_xp()
}
/**
+ * Hashes a value with given salt and specified hash algo.
+ *
+ * @global array $sed_hash_func
+ * @param string $data Data to be hash-protected
+ * @param string $salt Hashing salt, usually a random value
+ * @param string $algo Hashing algo name, must be registered in $sed_hash_funcs
+ * @return string Hashed value
+ */
+function sed_hash($data, $salt = '', $algo = 'sha256')
+{
+ global $cfg, $sed_hash_funcs;
+ if (isset($cfg['hashsalt']) && !empty($cfg['hashsalt']))
+ {
+ // Extra salt for extremely secure sites
+ $salt .= $cfg['hashsalt'];
+ }
+ $func = (in_array($algo, $sed_hash_funcs) && function_exists('sed_hash_' . $algo)) ? 'sed_hash_' . $algo : 'sed_hash_sha256';
+ return $func($data, $salt);
+}
+
+/**
+ * Returns the list of available hash algos for use with configs.
+ *
+ * @global array $sed_hash_func
+ * @return array
+ */
+function sed_hash_funcs()
+{
+ global $sed_hash_funcs;
+ return $sed_hash_funcs;
+}
+
+/**
+ * Simple MD5 hash wrapper. Old passwords use this func.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string MD5 hash of the data
+ */
+function sed_hash_md5($data, $salt)
+{
+ return md5($data . $salt);
+}
+
+/**
+ * SHA1 hash func for use with sed_hash().
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA1 hash of the data
+ */
+function sed_hash_sha1($data, $salt)
+{
+ return hash('sha1', $data . $salt);
+}
+
+/**
+ * SHA256 hash func for use with sed_hash(). Default since Cotonti 0.9.11.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA256 hash of the data
+ */
+function sed_hash_sha256($data, $salt)
+{
+ return hash('sha256', $data . $salt);
+}
+
+/**
* Truncates a post and makes sure parsing is correct
*
* @param string $text Post text
@@ -4644,7 +4718,7 @@ function sed_load_urltrans()
* Splits a query string into keys and values array. In comparison with built-in
* parse_str() function, this doesn't apply addslashes and urldecode to parameters
* and does not support arrays and complex parameters.
- *
+ *
* @param string $str Query string
* @return array
*/
@@ -5127,7 +5201,7 @@ function sed_extrafield_update($sql_table, $oldname, $name, $type, $html, $varia
if ($description != $field['field_description'])
$extf['description'] = $description;
$step1 = sed_sql_update($db_extra_fields, "field_name = '$oldname' AND field_location='$sql_table'", $extf, 'field_') == 1;
-
+
if (!$alter) return $step1;
switch ($type)
View
1  system/lang/en/admin.lang.php
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Debugging mode', 'Don\'t let this enabled on live sites');
$L['cfg_disablehitstats'] = array('Disable hit statistics', 'Referers and hits per day');
$L['cfg_gzip'] = array('Gzip', 'Gzip compression of the HTML output');
+$L['cfg_hashfunc'] = array('Default hash function', 'Used to hash passwords');
$L['cfg_hostip'] = array('Server IP', 'The IP of the server, optional.');
$L['cfg_jquery'] = array('Enable jQuery', ''); // New in N-0.0.1
$L['cfg_maintenance'] = array('Maintenance mode', 'Let only authorized personel access to site'); // New in N-0.0.2
View
1  system/lang/ru/admin.lang.php
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Режим отладки', 'Только для отладки под localhost');
$L['cfg_disablehitstats'] = array('Отключить статистику', 'Рефереры и хиты за день');
$L['cfg_gzip'] = array('Gzip', 'Gzip-сжатие для исходящего HTML-кода');
+$L['cfg_hashfunc'] = array('Функция хеширования по умолчанию', 'Используется для хеширования паролей');
$L['cfg_hostip'] = array('IP-адрес сервера', 'Необязательно');
$L['cfg_jquery'] = array('Включить jQuery', ' '); // New in N-0.0.1
$L['cfg_maintenance'] = array('Режим обслуживания', 'Доступа к сайту разрешен только администраторам'); // New in N-0.0.2

No commit comments for this range

Something went wrong with that request. Please try again.