Skip to content

Commit

Permalink
Merge branch 'development'
Browse files Browse the repository at this point in the history
  • Loading branch information
@nilsteampassnet
nilsteampassnet committed Jun 14, 2016
2 parents f1f9a1c + e0d9652 commit b29bab8
Show file tree
Hide file tree
Showing 8 changed files with 101 additions and 111 deletions.
1 change: 1 addition & 0 deletions changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Last changes
#1241 OTV visible more than one time
#1238 Fix for upgrade.php where mysql_result() command were still not replaced
#1235 Import from Keepass: missing items with the same title
#1229 CSRFProtector message while DUO is enabled
#1225 Unable to Access OTV Link
#1224 Fixed errors in export_to_html_format
#1211 No FA code sent from home page
Expand Down
55 changes: 28 additions & 27 deletions duo.load.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,41 +23,42 @@
include $_SESSION['settings']['cpassman_dir'].'/includes/settings.php';


/*
/*
** This page contains the javascript call for DUOSecurity api
** It loads the expected iFrame where user gives his DUO credentials
** It sends the request to the DUO server
*/
?>
<script type="text/javascript">
$(function() {
$.getScript("./includes/libraries/Authentication/DuoSecurity/Duo-Web-v2.min.js");
$.post(
"sources/identify.php",
{
type : "identify_duo_user",
login: sanitizeString($("#login").val())
},
function(data) {
var ret = data[0].sig_request.split('|');
if (ret[0] === "ERR") {
$("#div_duo").html("ERROR " + ret[1]);
} else {
// preparing the DUO iframe
var cssLink = $("<link rel='stylesheet' type='text/css' href='./includes/libraries/Authentication/DuoSecurity/Duo-Frame.css'>");
$("head").append(cssLink);
$("#div_duo").html('<iframe id="duo_iframe" frameborder="0" data-host="<?php echo HOST; ?>" data-sig-request="'+data[0].sig_request+'"></iframe>');
$.getScript("./includes/libraries/Authentication/DuoSecurity/Duo-Web-v2.min.js");
$.post(
"sources/identify.php",
{
type : "identify_duo_user",
login: sanitizeString($("#login").val())
},
function(data) {
var ret = data[0].sig_request.split('|');
if (ret[0] === "ERR") {
$("#div_duo").html("ERROR " + ret[1]);
} else {
// preparing the DUO iframe
var cssLink = $("<link rel='stylesheet' type='text/css' href='./includes/libraries/Authentication/DuoSecurity/Duo-Frame.css'>");
$("head").append(cssLink);
$("#div_duo").html('<iframe id="duo_iframe" frameborder="0" data-host="<?php echo HOST; ?>" data-sig-request="'+data[0].sig_request+'"></iframe>');

// loading the DUO iframe
Duo.init({
'host': '<?php echo HOST; ?>',
'sig_request': data[0].sig_request
});
// loading the DUO iframe
Duo.init({
'host': '<?php echo HOST; ?>',
'sig_request': data[0].sig_request,
'post_action': "index.php?page=items&type=duo_check&"+data[0].csrfp_token+"="+data[0].csrfp_key
});

$("#duo_login").val($("#login").val());
}
},
"json"
);
$("#duo_login").val($("#login").val());
}
},
"json"
);
});
</script>
26 changes: 13 additions & 13 deletions includes/libraries/csrfp/libs/csrf/csrfprotector.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,36 +176,36 @@ public static function authorizePost()
//#todo this method is valid for same origin request only,
//enable it for cross origin also sometime
//for cross origin the functionality is different
if ($_SERVER['REQUEST_METHOD'] === 'POST') {

//set request type to POST
self::$requestType = "POST";

if (!static::isURLallowed()) {

//currently for same origin only
if (!(isset($_POST[self::$config['CSRFP_TOKEN']])
if (!(isset($_GET[self::$config['CSRFP_TOKEN']])
&& isset($_SESSION[self::$config['CSRFP_TOKEN']])
&& (self::isValidToken($_POST[self::$config['CSRFP_TOKEN']]))
&& (self::isValidToken($_GET[self::$config['CSRFP_TOKEN']]))
)) {

//action in case of failed validation
self::failedValidationAction();
} else {
self::refreshToken(); //refresh token for successfull validation
}
} else if (!static::isURLallowed()) {

} else if ($_SERVER['REQUEST_METHOD'] === 'POST') {

//set request type to POST
self::$requestType = "POST";

//currently for same origin only
if (!(isset($_GET[self::$config['CSRFP_TOKEN']])
if (!(isset($_POST[self::$config['CSRFP_TOKEN']])
&& isset($_SESSION[self::$config['CSRFP_TOKEN']])
&& (self::isValidToken($_GET[self::$config['CSRFP_TOKEN']]))
&& (self::isValidToken($_POST[self::$config['CSRFP_TOKEN']]))
)) {

//action in case of failed validation
self::failedValidationAction();
} else {
self::refreshToken(); //refresh token for successfull validation
}
}
}
}

/*
Expand Down Expand Up @@ -487,7 +487,7 @@ private static function getCurrentUrl()
}
}

return $request_scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
return $request_scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
}

/*
Expand Down
2 changes: 1 addition & 1 deletion includes/libraries/csrfp/libs/csrfp.config.sample.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,5 @@
"disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
See details of your web browser for how to enable JavaScript.",
"verifyGetFor" => array()
"verifyGetFor" => array("*page=items&type=duo_check*")
);
1 change: 1 addition & 0 deletions install/upgrade_ajax.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,7 @@ function tableExists($tablename, $database = false)
$newdata = str_replace('"tokenLength" => "25"', '"tokenLength" => "50"', $newdata);
$jsUrl = $_SESSION['fullurl'].'/includes/libraries/csrfp/js/csrfprotector.js';
$newdata = str_replace('"jsUrl" => ""', '"jsUrl" => "'.$jsUrl.'"', $newdata);
$newdata = str_replace('"verifyGetFor" => array()', '"verifyGetFor" => array("*page=items&type=duo_check*")', $newdata);
file_put_contents("../includes/libraries/csrfp/libs/csrfp.config.php", $newdata);


Expand Down
10 changes: 5 additions & 5 deletions install/upgrade_run_2.1.26.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,9 @@ function tableExists($tablename, $database = false)
// check that API doesn't exist
$tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."users` WHERE id = '9999999'"));
if ($tmp[0] == 0 || empty($tmp[0])) {
mysqli_query($dbTmp,
"INSERT INTO `".$_SESSION['tbl_prefix']."users` (`id`, `login`, `read_only`) VALUES ('9999999', 'API', '1')"
);
mysqli_query($dbTmp,
"INSERT INTO `".$_SESSION['tbl_prefix']."users` (`id`, `login`, `read_only`) VALUES ('9999999', 'API', '1')"
);
}


Expand All @@ -180,13 +180,13 @@ function tableExists($tablename, $database = false)
// add Estonian
$tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonian'"));
if ($tmp[0] == 0 || empty($tmp[0])) {
mysqli_query($dbTmp, "INSERT INTO `".$_SESSION['tbl_prefix']."languages` VALUES (null, 'estonian', 'Estonian', 'ee', 'ee.png')");
mysqli_query($dbTmp, "INSERT INTO `".$_SESSION['tbl_prefix']."languages` VALUES (null, 'estonian', 'Estonian', 'ee', 'ee.png')");
}

// remove Estonia
$tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'"));
if ($tmp[0] == 0 || empty($tmp[0])) {
mysqli_query($dbTmp, "DELETE FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'");
mysqli_query($dbTmp, "DELETE FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'");
}

// ensure CSRFP config file is ready
Expand Down
103 changes: 43 additions & 60 deletions load.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,18 +257,18 @@ function (){
);
} else if (data[0].value == "false_onetimepw") {
$("#connection_error").html("'.$LANG['bad_onetime_password'].'").show();
} else if (data[0].pwd_attempts >=3 ||data[0].error == "bruteforce_wait") {
// now user needs to wait 10 secs before new passwd
$("#connection_error").html("'.$LANG['error_bad_credentials_more_than_3_times'].'").show();
} else if (data[0].pwd_attempts >=3 ||data[0].error == "bruteforce_wait") {
// now user needs to wait 10 secs before new passwd
$("#connection_error").html("'.$LANG['error_bad_credentials_more_than_3_times'].'").show();
} else if (data[0].error == "bad_credentials") {
$("#connection_error").html("'.$LANG['error_bad_credentials'].'").show();
} else if (data[0].error == "ga_code_wrong") {
$("#connection_error").html("'.$LANG['ga_bad_code'].'").show();
} else {
$("#connection_error").html("'.$LANG['error_bad_credentials'].'").show();
}
$("#ajax_loader_connexion").hide();
$("#ajax_loader_connexion").hide();
},
"json"
);
Expand Down Expand Up @@ -430,7 +430,7 @@ function refreshListLastSeenItems()
key : "'.$_SESSION["key"].'"
},
function(data) {
data = $.parseJSON(data);
data = $.parseJSON(data);
//check if format error
if (data.error == "") {
if (data.text == null) {
Expand All @@ -440,10 +440,10 @@ function(data) {
}
// rebuild menu
$("#menu_last_seen_items").menu("refresh");
// show notification
if (data.existing_suggestions != 0) {
blink("#menu_button_suggestion", -1, 500, "ui-state-error");
}
// show notification
if (data.existing_suggestions != 0) {
blink("#menu_button_suggestion", -1, 500, "ui-state-error");
}
} else {
$("#main_info_box_text").html(data.error);
setTimeout(function(){$("#main_info_box").effect( "fade", "slow" );}, 1000);
Expand All @@ -455,25 +455,7 @@ function(data) {
// DUO box - identification
function loadDuoDialog()
{
/*
// save data connection
$.post(
"sources/identify.php",
{
type : "store_data_in_cookie",
data : prepareExchangedData($("#duo_data").val(), "encode", "'.$_SESSION['key'].'>"),
key : "'.$_SESSION['key'].'"
},
function(data) {
if (data[0].error == "something_wrong") {
}
},
"json"
);
*/
// show dialog
// show dialog
$("#dialog_duo").dialog({
width: 600,
height: 500,
Expand All @@ -496,6 +478,7 @@ function loadDuoDialogWait()
title: "DUO Security - please wait ..."
}).dialog("open");
}
function ChangeMyPass()
{
if ($("#new_pw").val() != "" && $("#new_pw").val() == $("#new_pw2").val()) {
Expand Down Expand Up @@ -608,7 +591,7 @@ function(data) {
$("#main *, #footer *, #icon_last_items *, #top *, button, .tip").tooltipster({
maxWidth: 400,
contentAsHTML: true,
multiple: true
multiple: true
});
$("#user_session").val(sessionStorage.password);
Expand Down Expand Up @@ -715,7 +698,7 @@ function() {
title: "'.$LANG['home_personal_saltkey_label'].'",
open: function( event, ui ) {
$("#input_personal_saltkey").val("'.addslashes(str_replace("&quot;", '"', $_SESSION['my_sk'])).'");
console.log("'.addslashes(str_replace("&quot;", '"', $_SESSION['my_sk'])).'");
console.log("'.addslashes(str_replace("&quot;", '"', $_SESSION['my_sk'])).'");
},
buttons: {
"'.$LANG['save_button'].'": function() {
Expand Down Expand Up @@ -768,7 +751,7 @@ function(data) {
$("#div_change_personal_saltkey_wait").show();
var data_to_share = "{\"sk\":\"" + sanitizeString($("#new_personal_saltkey").val()) + "\", \"old_sk\":\"" + sanitizeString($("#old_personal_saltkey").val()) + "\"}";
$("#div_change_personal_saltkey_wait_progress").html(" 0%");
$("#div_change_personal_saltkey_wait_progress").html(" 0%");
//Send query
$.post(
Expand Down Expand Up @@ -946,8 +929,8 @@ function getSelectedValue(id)
});
$("#new_pw").bind({
"score.simplePassMeter" : function(jQEvent, score) {
$("#pw_strength_value").val(score);
}
$("#pw_strength_value").val(score);
}
}).change({
"score.simplePassMeter" : function(jQEvent, score) {
$("#pw_strength_value").val(score);
Expand All @@ -957,32 +940,32 @@ function getSelectedValue(id)
// get list of last items
refreshListLastSeenItems();
// prevent usage of symbols in Personal saltkey
$(".text_without_symbols").bind("keydown", function (event) {
switch (event.keyCode) {
case 8: // Backspace
case 9: // Tab
case 13: // Enter
case 37: // Left
case 38: // Up
case 39: // Right
case 40: // Down
break;
default:
var regex = new RegExp("^[a-zA-Z0-9.,/#&$@()%*]+$");
var key = event.key;
if (!regex.test(key)) {
$("#set_personal_saltkey_warning").html("'.addslashes($LANG['character_not_allowed']).'").stop(true,true).show().fadeOut(1000);
event.preventDefault();
return false;
}
if (key !== "Alt" && key !== "Control" && key !== "Shift") $("#set_personal_saltkey_last_letter").html(key).stop(true,true).show().fadeOut(1400);
break;
}
}).bind("paste",function(e){
$("#set_personal_saltkey_warning").html("'.addslashes($LANG['error_not_allowed_to']).'").stop(true,true).show().fadeOut(1000);
e.preventDefault();
});
// prevent usage of symbols in Personal saltkey
$(".text_without_symbols").bind("keydown", function (event) {
switch (event.keyCode) {
case 8: // Backspace
case 9: // Tab
case 13: // Enter
case 37: // Left
case 38: // Up
case 39: // Right
case 40: // Down
break;
default:
var regex = new RegExp("^[a-zA-Z0-9.,/#&$@()%*]+$");
var key = event.key;
if (!regex.test(key)) {
$("#set_personal_saltkey_warning").html("'.addslashes($LANG['character_not_allowed']).'").stop(true,true).show().fadeOut(1000);
event.preventDefault();
return false;
}
if (key !== "Alt" && key !== "Control" && key !== "Shift") $("#set_personal_saltkey_last_letter").html(key).stop(true,true).show().fadeOut(1400);
break;
}
}).bind("paste",function(e){
$("#set_personal_saltkey_warning").html("'.addslashes($LANG['error_not_allowed_to']).'").stop(true,true).show().fadeOut(1000);
e.preventDefault();
});
setTimeout(function() { NProgress.done(); $(".fade").removeClass("out"); }, 1000);
});';
Expand Down
Loading

0 comments on commit b29bab8

Please sign in to comment.