pwd. Sets user if applicable, returns bool * */ function yourls_check_username_password() { global $yourls_user_passwords; if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $_REQUEST['username'], $_REQUEST['password'] ) ) { yourls_set_user( $_REQUEST['username'] ); return true; } return false; } /** * Check a submitted password sent in plain text against stored password which can be a salted hash * */ function yourls_check_password_hash( $user, $submitted_password ) { global $yourls_user_passwords; if( !isset( $yourls_user_passwords[ $user ] ) ) return false; if ( yourls_has_phpass_password( $user ) ) { // Stored password is hashed with phpass list( , $hash ) = explode( ':', $yourls_user_passwords[ $user ] ); $hash = str_replace( '!', '$', $hash ); return ( yourls_phpass_check( $submitted_password, $hash ) ); } else if( yourls_has_md5_password( $user ) ) { // Stored password is a salted md5 hash: "md5:<$r = rand(10000,99999)>:" list( , $salt, ) = explode( ':', $yourls_user_passwords[ $user ] ); return( $yourls_user_passwords[ $user ] == 'md5:'.$salt.':'.md5( $salt . $submitted_password ) ); } else { // Password stored in clear text return( $yourls_user_passwords[ $user ] == $submitted_password ); } } /** * Overwrite plaintext passwords in config file with phpassed versions. * * @since 1.7 * @param string $config_file Full path to file * @return true if overwrite was successful, an error message otherwise */ function yourls_hash_passwords_now( $config_file ) { if( !is_readable( $config_file ) ) return 'cannot read file'; // not sure that can actually happen... if( !is_writable( $config_file ) ) return 'cannot write file'; // Include file to read value of $yourls_user_passwords // Temporary suppress error reporting to avoid notices about redeclared constants $errlevel = error_reporting(); error_reporting( 0 ); require $config_file; error_reporting( $errlevel ); $configdata = file_get_contents( $config_file ); if( $configdata == false ) return 'could not read file'; $to_hash = 0; // keep track of number of passwords that need hashing foreach ( $yourls_user_passwords as $user => $password ) { if ( !yourls_has_phpass_password( $user ) && !yourls_has_md5_password( $user ) ) { $to_hash++; $hash = yourls_phpass_hash( $password ); // PHP would interpret $ as a variable, so replace it in storage. $hash = str_replace( '$', '!', $hash ); $quotes = "'" . '"'; $pattern = "/[$quotes]${user}[$quotes]\s*=>\s*[$quotes]" . preg_quote( $password, '/' ) . "[$quotes]/"; $replace = "'$user' => 'phpass:$hash' /* Password encrypted by YOURLS */ "; $count = 0; $configdata = preg_replace( $pattern, $replace, $configdata, -1, $count ); // There should be exactly one replacement. Otherwise, fast fail. if ( $count != 1 ) { yourls_debug_log( "Problem with preg_replace for password hash of user $user" ); return 'preg_replace problem'; } } } if( $to_hash == 0 ) return 0; // There was no password to encrypt $success = file_put_contents( $config_file, $configdata ); if ( $success === FALSE ) { yourls_debug_log( 'Failed writing to ' . $config_file ); return 'could not write file'; } return true; } /** * Hash a password using phpass * * @since 1.7 * @param string $password password to hash * @return string hashed password */ function yourls_phpass_hash( $password ) { $hasher = yourls_phpass_instance(); return $hasher->HashPassword( $password ); } /** * Check a clear password against a phpass hash * * @since 1.7 * @param string $password clear (eg submitted in a form) password * @param string $hash hash supposedly generated by phpass * @return bool true if the hash matches the password once hashed by phpass, false otherwise */ function yourls_phpass_check( $password, $hash ) { $hasher = yourls_phpass_instance(); return $hasher->CheckPassword( $password, $hash ); } /** * Helper function: create new instance or return existing instance of phpass class * * @since 1.7 * @param int $iteration iteration count - 8 is default in phpass * @param bool $portable flag to force portable (cross platform and system independant) hashes - false to use whatever the system can do best * @return object a PasswordHash instance */ function yourls_phpass_instance( $iteration = 8, $portable = false ) { $iteration = yourls_apply_filter( 'phpass_new_instance_iteration', $iteration ); $portable = yourls_apply_filter( 'phpass_new_instance_portable', $portable ); if( !class_exists( 'PasswordHash' ) ) { require_once( YOURLS_INC.'/phpass/PasswordHash.php' ); } static $instance = false; if( $instance == false ) { $instance = new PasswordHash( $iteration, $portable ); } return $instance; } /** * Check to see if any passwords are stored as cleartext. * * @since 1.7 * @return bool true if any passwords are cleartext */ function yourls_has_cleartext_passwords() { global $yourls_user_passwords; foreach ( $yourls_user_passwords as $user => $pwdata ) { if ( !yourls_has_md5_password( $user ) && !yourls_has_phpass_password( $user ) ) { return true; } } return false; } /** * Check if a user has a hashed password * * Check if a user password is 'md5:[38 chars]'. * TODO: deprecate this when/if we have proper user management with password hashes stored in the DB * * @since 1.7 * @param string $user user login * @return bool true if password hashed, false otherwise */ function yourls_has_md5_password( $user ) { global $yourls_user_passwords; return( isset( $yourls_user_passwords[ $user ] ) && substr( $yourls_user_passwords[ $user ], 0, 4 ) == 'md5:' && strlen( $yourls_user_passwords[ $user ] ) == 42 // http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything ); } /** * Check if a user's password is hashed with PHPASS. * * Check if a user password is 'phpass:[lots of chars]'. * TODO: deprecate this when/if we have proper user management with password hashes stored in the DB * * @since 1.7 * @param string $user user login * @return bool true if password hashed with PHPASS, otherwise false */ function yourls_has_phpass_password( $user ) { global $yourls_user_passwords; return( isset( $yourls_user_passwords[ $user ] ) && substr( $yourls_user_passwords[ $user ], 0, 7 ) == 'phpass:' ); } /** * Check auth against encrypted COOKIE data. Sets user if applicable, returns bool * */ function yourls_check_auth_cookie() { global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( yourls_salt( $valid_user ) == $_COOKIE[ yourls_cookie_name() ] ) { yourls_set_user( $valid_user ); return true; } } return false; } /** * Check auth against signature and timestamp. Sets user if applicable, returns bool * * * @since 1.4.1 * @return bool False if signature or timestamp missing or invalid, true if valid */ function yourls_check_signature_timestamp() { if( !isset( $_REQUEST['signature'] ) OR empty( $_REQUEST['signature'] ) OR !isset( $_REQUEST['timestamp'] ) OR empty( $_REQUEST['timestamp'] ) ) return false; // Timestamp in PHP : time() // Timestamp in JS: parseInt(new Date().getTime() / 1000) // Check signature & timestamp against all possible users global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( ( md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature'] or md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature'] ) && yourls_check_timestamp( $_REQUEST['timestamp'] ) ) { yourls_set_user( $valid_user ); return true; } } // Signature doesn't match known user return false; } /** * Check auth against signature. Sets user if applicable, returns bool * * @since 1.4.1 * @return bool False if signature missing or invalid, true if valid */ function yourls_check_signature() { if( !isset( $_REQUEST['signature'] ) OR empty( $_REQUEST['signature'] ) ) return false; // Check signature against all possible users global $yourls_user_passwords; foreach( $yourls_user_passwords as $valid_user => $valid_password ) { if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) { yourls_set_user( $valid_user ); return true; } } // Signature doesn't match known user return false; } /** * Generate secret signature hash * */ function yourls_auth_signature( $username = false ) { if( !$username && defined('YOURLS_USER') ) { $username = YOURLS_USER; } return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' ); } /** * Check if timestamp is not too old * */ function yourls_check_timestamp( $time ) { $now = time(); // Allow timestamp to be a little in the future or the past -- see Issue 766 return yourls_apply_filter( 'check_timestamp', abs( $now - $time ) < YOURLS_NONCE_LIFE, $time ); } /** * Store new cookie. No $user will delete the cookie. * */ function yourls_store_cookie( $user = null ) { if( !$user ) { $pass = null; $time = time() - 3600; } else { global $yourls_user_passwords; if( isset($yourls_user_passwords[$user]) ) { $pass = $yourls_user_passwords[$user]; } else { die( 'Stealing cookies?' ); // This should never happen } $time = time() + YOURLS_COOKIE_LIFE; } $domain = yourls_apply_filter( 'setcookie_domain', parse_url( YOURLS_SITE, 1 ) ); $secure = yourls_apply_filter( 'setcookie_secure', yourls_is_ssl() ); $httponly = yourls_apply_filter( 'setcookie_httponly', true ); // Some browsers refuse to store localhost cookie if ( $domain == 'localhost' ) $domain = ''; if ( !headers_sent( $filename, $linenum ) ) { // Set httponly if the php version is >= 5.2.0 if( version_compare( phpversion(), '5.2.0', 'ge' ) ) { setcookie( yourls_cookie_name(), yourls_salt( $user ), $time, '/', $domain, $secure, $httponly ); } else { setcookie( yourls_cookie_name(), yourls_salt( $user ), $time, '/', $domain, $secure ); } } else { // For some reason cookies were not stored: action to be able to debug that yourls_do_action( 'setcookie_failed', $user ); yourls_debug_log( "Could not store cookie: headers already sent in $filename on line $linenum" ); } } /** * Set user name * */ function yourls_set_user( $user ) { if( !defined( 'YOURLS_USER' ) ) define( 'YOURLS_USER', $user ); } /** * Get YOURLS cookie name * * The name is unique for each install, to prevent mismatch between sho.rt and very.sho.rt -- see #1673 * * TODO: when multi user is implemented, the whole cookie stuff should be reworked to allow storing multiple users * * @since 1.7.1 * @return string unique cookie name for a given YOURLS site */ function yourls_cookie_name() { return 'yourls_' . yourls_salt( YOURLS_SITE ); }