Added feature #11016: Implement RSA authentication for BE and FE -- part 2 (fix hard...
[Packages/TYPO3.CMS.git] / typo3 / index.php
old mode 100755 (executable)
new mode 100644 (file)
index b0cd564..8728651
@@ -2,7 +2,7 @@
 /***************************************************************
 *  Copyright notice
 *
-*  (c) 1999-2008 Kasper Skaarhoj (kasperYYYY@typo3.com)
+*  (c) 1999-2009 Kasper Skaarhoj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
@@ -119,39 +119,49 @@ class SC_index {
         * @return      void
         */
        function init() {
-               global $BE_USER,$TYPO3_CONF_VARS;
+               // We need a PHP session session for most login levels
+               session_start();
 
-                       // GPvars:
                $this->redirect_url = t3lib_div::_GP('redirect_url');
                $this->GPinterface = t3lib_div::_GP('interface');
 
-               if(t3lib_div::getIndpEnv('TYPO3_SSL'))  {       // For security reasons this feature only works if SSL is used
-                       $this->u = t3lib_div::_GP('u');         // preset username
-                       $this->p = t3lib_div::_GP('p');         // preset password
+                       // Grabbing preset username and password, for security reasons this feature only works if SSL is used
+               if (t3lib_div::getIndpEnv('TYPO3_SSL')) {
+                       $this->u = t3lib_div::_GP('u');
+                       $this->p = t3lib_div::_GP('p');
                }
-               $this->L = t3lib_div::_GP('L');                         // If "L" is "OUT", then any logged in used is logged out. If redirect_url is given, we redirect to it
-               $this->loginRefresh = t3lib_div::_GP('loginRefresh');   // Login
-               $this->commandLI = t3lib_div::_GP('commandLI');         // Value of "Login" button. If set, the login button was pressed.
+
+                       // If "L" is "OUT", then any logged in is logged out. If redirect_url is given, we redirect to it
+               $this->L = t3lib_div::_GP('L');
+
+                       // Login
+               $this->loginRefresh = t3lib_div::_GP('loginRefresh');
+
+                       // Value of "Login" button. If set, the login button was pressed.
+               $this->commandLI = t3lib_div::_GP('commandLI');
 
                        // sets the level of security from conf vars
-               if ($TYPO3_CONF_VARS['BE']['loginSecurityLevel']) {
-                       $this->loginSecurityLevel = $TYPO3_CONF_VARS['BE']['loginSecurityLevel'];
+               if ($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']) {
+                       $this->loginSecurityLevel = $GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel'];
                }
 
-                       // Getting login labels:
-               $this->L_vars = explode('|',$TYPO3_CONF_VARS['BE']['loginLabels']);
+                       // Getting login labels
+               $this->L_vars = explode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['loginLabels']);
 
-                       // Setting the redirect URL to "backend.php" if no alternative input is given:
+                       // Setting the redirect URL to "backend.php" if no alternative input is given
                $this->redirectToURL = $this->redirect_url ? $this->redirect_url : 'backend.php';
 
-                       // Logout?
-               if ($this->L=='OUT' && is_object($BE_USER))     {
-                       $BE_USER->logoff();
-                       if ($this->redirect_url)        header('Location: '.t3lib_div::locationHeaderUrl($this->redirect_url));
+                       // Do a logout if the command is set
+               if ($this->L == 'OUT' && is_object($GLOBALS['BE_USER'])) {
+                       $GLOBALS['BE_USER']->logoff();
+                       if ($this->redirect_url) {
+                               header('Location: '.t3lib_div::locationHeaderUrl($this->redirect_url));
+                       }
                        exit;
                }
        }
 
+
        /**
         * Main function - creating the login/logout form
         *
@@ -161,8 +171,8 @@ class SC_index {
                global $TBE_TEMPLATE, $TYPO3_CONF_VARS, $BE_USER;
 
                        // Initialize template object:
-               $TBE_TEMPLATE->docType='xhtml_trans';
                $TBE_TEMPLATE->bodyTagAdditions = ' onload="startUp();"';
+               $TBE_TEMPLATE->moduleTemplate = $TBE_TEMPLATE->getHtmlTemplate('templates/login.html');
 
                        // Set JavaScript for creating a MD5 hash of the password:
                $TBE_TEMPLATE->JScode.= $this->getJScode();
@@ -175,7 +185,7 @@ class SC_index {
                $this->makeInterfaceSelectorBox();
 
                        // Replace an optional marker in the "Administration Login" label
-               $this->L_vars[6] = str_replace("###SITENAME###",$TYPO3_CONF_VARS['SYS']['sitename'],$this->L_vars[6]);
+               $this->L_vars[6] = str_replace("###SITENAME###", $TYPO3_CONF_VARS['SYS']['sitename'], $this->L_vars[6]);
 
                        // Creating form based on whether there is a login or not:
                if (!$BE_USER->user['uid'])     {
@@ -195,18 +205,10 @@ class SC_index {
                        // Add login form:
                $this->content.=$this->wrapLoginForm($loginForm);
 
-                       // Create a random challenge string
-               $challenge = $this->getChallenge();
+                       // Add hidden fields and end the page
+               $this->content .= $this->getHiddenFields();
 
-                       // Save challenge value in session data (thanks to Bernhard Kraft for providing code):
-               session_start();
-               $_SESSION['login_challenge'] = $challenge;
-
-                       // Add hidden fields:
-               $this->content.= $this->getHiddenFields($challenge);
-
-                       // End page:
-               $this->content.=$TBE_TEMPLATE->endPage();
+               $this->content.= $TBE_TEMPLATE->endPage();
        }
 
        /**
@@ -218,13 +220,6 @@ class SC_index {
                echo $this->content;
        }
 
-
-
-
-
-
-
-
        /*****************************
         *
         * Various functions
@@ -238,144 +233,102 @@ class SC_index {
         * @return      string          HTML output
         */
        function makeLoginForm()        {
+               $content = t3lib_parsehtml::getSubpart($GLOBALS['TBE_TEMPLATE']->moduleTemplate, '###LOGIN_FORM###');
+               $markers = array(
+                       'HEADLINE'       => $this->L_vars[6],
+                       'LABEL_USERNAME' => $this->L_vars[0],
+                       'LABEL_PASSWORD' => $this->L_vars[1],
+                       'VALUE_USERNAME' => $this->u,
+                       'VALUE_PASSWORD' => $this->p,
+                       'VALUE_SUBMIT'   => $this->L_vars[3],
+                       'INFO'           => $this->L_vars[7],
+               );
+
+                       // show an error message if the login command was successful already
+               if (!$this->commandLI) {
+                       $content = t3lib_parsehtml::substituteSubpart($content, '###LOGIN_ERROR###', '');
+               } else {
+                       $markers['ERROR_MESSAGE'] = $this->L_vars[9];
+               }
 
-                       // There must be no white-spaces outside of the tags (needed for buggy IE)
-               $content.=                              '<!--
-                                                               Login form:
-                                                       --><table cellspacing="0" cellpadding="0" border="0" id="logintable">
-                                                                       <tr>
-                                                                               <td colspan="2"><h2>'.htmlspecialchars($this->L_vars[6]).'</h2></td>
-                                                                       </tr>'.($this->commandLI ? '
-                                                                       <tr class="c-wrong">
-                                                                               <td colspan="2"><p class="c-wrong">'.htmlspecialchars($this->L_vars[9]).'</p></td>
-                                                                       </tr>' : '').'
-                                                                       <tr class="c-username">
-                                                                               <td><label for="username" class="c-username">'.htmlspecialchars($this->L_vars[0]).':</label></td>
-                                                                               <td><input type="text" id="username" name="username" value="'.htmlspecialchars($this->u).'" class="c-username" /></td>
-                                                                       </tr>
-                                                                       <tr class="c-password">
-                                                                               <td><label for="password" class="c-password">'.htmlspecialchars($this->L_vars[1]).':</label></td>
-                                                                               <td><input type="password" id="password" name="p_field" value="'.htmlspecialchars($this->p).'" class="c-password" /></td>
-                                                                       </tr>'.($this->interfaceSelector && !$this->loginRefresh ? '
-                                                                       <tr class="c-interfaceselector">
-                                                                               <td><label for="interfaceselector" class="c-interfaceselector">'.htmlspecialchars($this->L_vars[2]).':</label></td>
-                                                                               <td>'.$this->interfaceSelector.'</td>
-                                                                       </tr>' : '' ).'
-                                                                       <tr class="c-submit">
-                                                                               <td></td>
-                                                                               <td><input type="submit" name="commandLI" value="'.htmlspecialchars($this->L_vars[3]).'" class="c-submit" /></td>
-                                                                       </tr>
-                                                                       <tr class="c-info">
-                                                                               <td colspan="2"><p class="c-info">'.htmlspecialchars($this->L_vars[7]).'</p></td>
-                                                                       </tr>
-                                                               </table>';
+                       // HSC all output
+               foreach ($markers as &$marker) {
+                       $marker = htmlspecialchars($marker);
+               }
 
-                       // Return content:
-               return $content;
+
+                       // remove the interface selector markers if it's not available
+               if (!($this->interfaceSelector && !$this->loginRefresh)) {
+                       $content = t3lib_parsehtml::substituteSubpart($content, '###INTERFACE_SELECTOR###', '');
+               } else {
+                       $markers['LABEL_INTERFACE'] = htmlspecialchars($this->L_vars[2]);
+                       $markers['VALUE_INTERFACE'] = $this->interfaceSelector_jump;
+               }
+
+               return t3lib_parsehtml::substituteMarkerArray($content, $markers, '###|###');
        }
 
+
        /**
         * Creates the logout form
         * This is drawn if a user login already exists.
         *
         * @return      string          HTML output
         */
-       function makeLogoutForm()       {
-               global $BE_USER;
-
-               $content.= '
-
-                                                       <!--
-                                                               Login form:
-                                                       -->
-                                                       <table cellspacing="0" cellpadding="0" border="0" id="logintable">
-                                                                       <tr>
-                                                                               <td></td>
-                                                                               <td><h2>'.htmlspecialchars($this->L_vars[6]).'</h2></td>
-                                                                       </tr>
-                                                                       <tr class="c-username">
-                                                                               <td><p class="c-username">'.htmlspecialchars($this->L_vars[0]).':</p></td>
-                                                                               <td><p class="c-username-current">'.htmlspecialchars($BE_USER->user['username']).'</p></td>
-                                                                       </tr>'.($this->interfaceSelector_jump ? '
-                                                                       <tr class="c-interfaceselector">
-                                                                               <td><p class="c-interfaceselector">'.htmlspecialchars($this->L_vars[2]).':</p></td>
-                                                                               <td>'.$this->interfaceSelector_jump.'</td>
-                                                                       </tr>' : '' ).'
-                                                                       <tr class="c-submit">
-                                                                               <td><input type="hidden" name="p_field" value="" /></td>
-                                                                               <td><input type="submit" name="commandLO" value="'.htmlspecialchars($this->L_vars[4]).'" class="c-submit" /></td>
-                                                                       </tr>
-                                                                       <tr class="c-info">
-                                                                               <td></td>
-                                                                               <td><p class="c-info">'.htmlspecialchars($this->L_vars[7]).'</p></td>
-                                                                       </tr>
-                                                               </table>';
+       function makeLogoutForm() {
+               $content = t3lib_parsehtml::getSubpart($GLOBALS['TBE_TEMPLATE']->moduleTemplate, '###LOGOUT_FORM###');
+               $markers = array(
+                       'HEADLINE'       => $this->L_vars[6],
+                       'LABEL_USERNAME' => $this->L_vars[0],
+                       'VALUE_USERNAME' => $GLOBALS['BE_USER']->user['username'],
+                       'VALUE_SUBMIT'   => $this->L_vars[4],
+                       'INFO'           => $this->L_vars[7],
+               );
+
+                       // HSC all output
+               foreach ($markers as &$marker) {
+                       $marker = htmlspecialchars($marker);
+               }
 
-                       // Return content:
-               return $content;
+                       // remove the interface selector markers if it's not available
+               if (!$this->interfaceSelector_jump) {
+                       $content = t3lib_parsehtml::substituteSubpart($content, '###INTERFACE_SELECTOR###', '');
+               } else {
+                       $markers['LABEL_INTERFACE'] = htmlspecialchars($this->L_vars[2]);
+                       $markers['VALUE_INTERFACE'] = $this->interfaceSelector_jump;
+               }
+
+               return t3lib_parsehtml::substituteMarkerArray($content, $markers, '###|###');
        }
 
+
        /**
         * Wrapping the login form table in another set of tables etc:
         *
         * @param       string          HTML content for the login form
         * @return      string          The HTML for the page.
         */
-       function wrapLoginForm($content)        {
-
-                       // Logo:
-               $logo = $GLOBALS['TBE_STYLES']['logo_login'] ?
-                                       '<img src="'.htmlspecialchars($GLOBALS['BACK_PATH'].$GLOBALS['TBE_STYLES']['logo_login']).'" alt="" />' :
-                                       '<img'.t3lib_iconWorks::skinImg($GLOBALS['BACK_PATH'],'gfx/typo3logo.gif','width="123" height="34"').' alt="" />';
-
-                       // Login box image:
-               $loginboxImage = $this->makeLoginBoxImage();
-
-                       // Compile the page content:
-               $content='
-
-               <!--
-                       Wrapper table for the login form:
-               -->
-               <table cellspacing="0" cellpadding="0" border="0" id="wrapper">
-                       <tr>
-                               <td class="c-wrappercell" align="center">
-
-                                       <!--
-                                               Login form image:
-                                       -->
-                                       <div id="loginimage">
-                                                                                       '.$logo.'
-                                       </div>
-
-                                       <!--
-                                               Login form wrapper:
-                                       -->
-                                       <table cellspacing="0" cellpadding="0" border="0" id="loginwrapper">
-                                               <tr>
-                                                       <td'.($this->commandLI ? ' class="error"' : '').'>'.$loginboxImage.
-                                                               $content.'
-                                                       </td>
-                                               </tr>
-                                       </table>
-
-                                       '.$this->makeLoginNews().'
-                                       <!--
-                                               Copyright notice:
-                                       -->
-                                       <div id="copyrightnotice">
-                                               '.$this->makeCopyrightNotice().'
-                                       </div>
-
+       function wrapLoginForm($content) {
+               $mainContent = t3lib_parsehtml::getSubpart($GLOBALS['TBE_TEMPLATE']->moduleTemplate, '###PAGE###');
 
-                               </td>
-                       </tr>
-               </table>';
+               if ($GLOBALS['TBE_STYLES']['logo_login']) {
+                       $logo = '<img src="'.htmlspecialchars($GLOBALS['BACK_PATH'] . $GLOBALS['TBE_STYLES']['logo_login']) . '" alt="" />';
+               } else {
+                       $logo = '<img'.t3lib_iconWorks::skinImg($GLOBALS['BACK_PATH'],'gfx/typo3logo.gif','width="123" height="34"').' alt="" />';
+               }
 
-                       // Return content:
-               return $content;
+               $markers = array(
+                       'LOGO'           => $logo,
+                       'LOGINBOX_IMAGE' => $this->makeLoginBoxImage(),
+                       'FORM'           => $content,
+                       'NEWS'           => $this->makeLoginNews(),
+                       'COPYRIGHT'      => $this->makeCopyrightNotice(),
+                       'CSS_ERRORCLASS' => ($this->commandLI ? ' class="error"' : ''),
+               );
+               return t3lib_parsehtml::substituteMarkerArray($mainContent, $markers, '###|###');
        }
 
+
        /**
         * Checking, if we should perform some sort of redirection OR closing of windows.
         *
@@ -389,7 +342,7 @@ class SC_index {
                if ($BE_USER->user['uid'] && ($this->commandLI || $this->loginRefresh || !$this->interfaceSelector))    {
 
                                // If no cookie has been set previously we tell people that this is a problem. This assumes that a cookie-setting script (like this one) has been hit at least once prior to this instance.
-                       if (!$_COOKIE[$BE_USER->name])  {
+                       if (!$_COOKIE[$BE_USER->name]) {
                                if ($this->commandLI=='setCookie') {
                                                // we tried it a second time but still no cookie
                                                // 26/4 2005: This does not work anymore, because the saving of challenge values in $_SESSION means the system will act as if the password was wrong.
@@ -401,10 +354,10 @@ class SC_index {
                                }
                        }
 
-                       if ($redirectToURL = (string)$BE_USER->getTSConfigVal('auth.BE.redirectToURL')) {
+                       if (($redirectToURL = (string)$BE_USER->getTSConfigVal('auth.BE.redirectToURL'))) {
                                $this->redirectToURL = $redirectToURL;
                                $this->GPinterface = '';
-                       }
+                       }
 
                                // store interface
                        $BE_USER->uc['interfaceSetup'] = $this->GPinterface;
@@ -623,122 +576,99 @@ class SC_index {
        function startForm()    {
                $output = '';
 
-               if ($this->loginSecurityLevel == 'challenged') {
-                       $output.= '
-                               <form action="index.php" method="post" name="loginform" onsubmit="doChallengeResponse(0);">
-                               ';
-               } elseif ($this->loginSecurityLevel == 'normal') {
-                       $output.= '
-                               <form action="index.php" method="post" name="loginform" onsubmit="document.loginform.userident.value=document.loginform.p_field.value;document.loginform.p_field.value=\'\';return true;">
-                               ';
-               } else { // if ($this->loginSecurityLevel == 'superchallenged') {
-                       $output.= '
-                               <form action="index.php" method="post" name="loginform" onsubmit="doChallengeResponse(1);">
-                               ';
+               // The form defaults to 'no login'. This prevents plain
+               // text logins to the Backend. The 'sv' extension changes the form to
+               // use superchallenged method and rsaauth extension makes rsa authetication.
+               $form = '<form action="index.php" method="post" name="loginform" ' .
+                               'onsubmit="alert(\'No authentication methods available. Please, ' .
+                               'contact your TYPO3 administrator.\');return false">';
+
+               // Call hooks. If they do not return anything, we fail to login
+               if (is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginFormHook'])) {
+                       foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginFormHook'] as $function) {
+                               $params = array();
+                               $formCode = t3lib_div::callUserFunction($function, $params, $this);
+                               if ($formCode) {
+                                       $form = $formCode;
+                                       break;
+                               }
+                       }
                }
 
-               $output.= '
-                                       <input type="hidden" name="login_status" value="login" />
-                               ';
+               $output .= $form .
+                       '<input type="hidden" name="login_status" value="login" />' .
+                       '<input type="hidden" name="userident" value="" />' .
+                       '<input type="hidden" name="redirect_url" value="'.htmlspecialchars($this->redirectToURL).'" />' .
+                       '<input type="hidden" name="loginRefresh" value="'.htmlspecialchars($this->loginRefresh).'" />' .
+                       $this->interfaceSelector_hidden . $this->addFields_hidden;
 
                return $output;
        }
 
        /**
-        * Output some hidden fields at the end of the login form
+        * Outputs an empty string. This function is obsolete and kept for the
+        * compatibility only.
         *
-        * @param       string          The challenge string to be included in the output
+        * @param       string  $unused Unused
         * @return      string          HTML output
         */
-       function getHiddenFields($challenge)    {
-               $output = '
-                       <input type="hidden" name="userident" value="" />
-                       <input type="hidden" name="challenge" value="'.$challenge.'" />
-                       <input type="hidden" name="redirect_url" value="'.htmlspecialchars($this->redirectToURL).'" />
-                       <input type="hidden" name="loginRefresh" value="'.htmlspecialchars($this->loginRefresh).'" />
-                       '.$this->interfaceSelector_hidden.'
-                       '.$this->addFields_hidden.'
-                       ';
-
-               return $output;
+       function getHiddenFields($unused = '') {
+               return '';
        }
 
        /**
-        * Set JavaScript for creating a MD5 hash of the password
+        * Creates JavaScript for the login form
         *
         * @return      string          JavaScript code
         */
        function getJScode()    {
-               global $TBE_TEMPLATE;
-
-               $JScode = '
-                       <script type="text/javascript" src="md5.js"></script>
-                       '.$TBE_TEMPLATE->wrapScriptTags('
-                               function doChallengeResponse(superchallenged) { //
-                                       password = document.loginform.p_field.value;
-                                       if (password)   {
-                                               if (superchallenged)    {
-                                                       password = MD5(password);       // this makes it superchallenged!!
-                                               }
-                                               str = document.loginform.username.value+":"+password+":"+document.loginform.challenge.value;
-                                               document.loginform.userident.value = MD5(str);
-                                               document.loginform.p_field.value = "";
-                                               return true;
-                                       }
+               $JSCode = '';
+               if (is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginScriptHook'])) {
+                       foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginScriptHook'] as $function) {
+                               $params = array();
+                               $JSCode = t3lib_div::callUserFunction($function, $params, $this);
+                               if ($JSCode) {
+                                       break;
                                }
-
-                               function startUp() {
-                                               // If the login screen is shown in the login_frameset window for re-login, then try to get the username of the current/former login from opening windows main frame:
-                                       if (parent.opener && parent.opener.TS && parent.opener.TS.username && document.loginform && document.loginform.username)        {
-                                               document.loginform.username.value = parent.opener.TS.username;
-                                       }
-
-                                               // Wait a few millisecons before calling checkFocus(). This might be necessary because some browsers need some time to auto-fill in the form fields
-                                       window.setTimeout("checkFocus()", 50);
+                       }
+               }
+               $JSCode .= $GLOBALS['TBE_TEMPLATE']->wrapScriptTags('
+                       function startUp() {
+                                       // If the login screen is shown in the login_frameset window for re-login, then try to get the username of the current/former login from opening windows main frame:
+                               if (parent.opener && parent.opener.TS && parent.opener.TS.username && document.loginform && document.loginform.username)        {
+                                       document.loginform.username.value = parent.opener.TS.username;
                                }
 
-                                       // This moves focus to the right input field:
-                               function checkFocus() {
-                                               // If for some reason there already is a username in the username form field, move focus to the password field:
-                                       if (document.loginform.username && document.loginform.username.value == "") {
-                                               document.loginform.username.focus();
-                                       } else if (document.loginform.p_field && document.loginform.p_field.type!="hidden") {
-                                               document.loginform.p_field.focus();
-                                       }
+                                       // Wait a few millisecons before calling checkFocus(). This might be necessary because some browsers need some time to auto-fill in the form fields
+                               window.setTimeout("checkFocus()", 50);
+                       }
+
+                               // This moves focus to the right input field:
+                       function checkFocus() {
+                                       // If for some reason there already is a username in the username form field, move focus to the password field:
+                               if (document.loginform.username && document.loginform.username.value == "") {
+                                       document.loginform.username.focus();
+                               } else if (document.loginform.p_field && document.loginform.p_field.type!="hidden") {
+                                       document.loginform.p_field.focus();
                                }
+                       }
                        ');
 
-               return $JScode;
-       }
-
-       /**
-        * Create a random challenge string
-        *
-        * @return      string          Challenge value
-        */
-       function getChallenge() {
-               $challenge = md5(uniqid('').getmypid());
-               return $challenge;
+               return $JSCode;
        }
 }
 
-// Include extension?
+
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/index.php'])        {
        include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/index.php']);
 }
 
 
 
-
-
-
-
-
-
-
 // Make instance:
 $SOBE = t3lib_div::makeInstance('SC_index');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
-?>
+
+?>
\ No newline at end of file