* Added Bernhard Krafts security improvement for server validated challenge value.
authorKasper Skårhøj <kasper@typo3.org>
Fri, 1 Apr 2005 12:53:30 +0000 (12:53 +0000)
committerKasper Skårhøj <kasper@typo3.org>
Fri, 1 Apr 2005 12:53:30 +0000 (12:53 +0000)
* Added "Esperanto" as language - now we are at 41 backend languages.
* Made a change to how cache-control headers are sent. Thanks to Ole Tange, FI, Denmark

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@592 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_beuserauth.php
t3lib/class.t3lib_cs.php
t3lib/class.t3lib_userauth.php
t3lib/config_default.php
t3lib/stddb/tbl_be.php
typo3/index.php
typo3/sysext/cms/tslib/class.tslib_fe.php
typo3/sysext/setup/mod/locallang.xml

index 3eeb6cf..ec73cf1 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2005-04-01  Kasper Skårhøj,,,  <kasper@typo3.com>
+
+       * Added Bernhard Krafts security improvement for server validated challenge value.
+       * Added "Esperanto" as language - now we are at 41 backend languages.
+       * Made a change to how cache-control headers are sent. Thanks to Ole Tange, FI, Denmark
+
 2005-04-01  Michael Stucki  <michael@typo3.org>
 
        * Display empty tag contents in the backend (e.g. <link email@hostname.com></link>)
 2005-04-01  Michael Stucki  <michael@typo3.org>
 
        * Display empty tag contents in the backend (e.g. <link email@hostname.com></link>)
index d9f58c1..b511067 100644 (file)
@@ -105,7 +105,7 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
 
        var $auth_timeout_field = 6000;                         // if > 0 : session-timeout in seconds. if false/<0 : no timeout. if string: The string is fieldname from the usertable where the timeout can be found.
        var $lifetime = 0;                              // 0 = Session-cookies. If session-cookies, the browser will stop session when the browser is closed. Else it keeps the session for $lifetime seconds.
 
        var $auth_timeout_field = 6000;                         // if > 0 : session-timeout in seconds. if false/<0 : no timeout. if string: The string is fieldname from the usertable where the timeout can be found.
        var $lifetime = 0;                              // 0 = Session-cookies. If session-cookies, the browser will stop session when the browser is closed. Else it keeps the session for $lifetime seconds.
-
+       var $challengeStoredInCookie = TRUE;
 
 
                // User Config:
 
 
                // User Config:
index 2de14df..bb5453f 100755 (executable)
@@ -446,6 +446,7 @@ class t3lib_cs {
                'ca' => 'iso-8859-15',
                'ba' => 'iso-8859-2',
                'kr' => 'euc-kr',
                'ca' => 'iso-8859-15',
                'ba' => 'iso-8859-2',
                'kr' => 'euc-kr',
+               'eo' => 'utf-8',
        );
 
                // TYPO3 specific: Array with the iso names used for each system language in TYPO3:
        );
 
                // TYPO3 specific: Array with the iso names used for each system language in TYPO3:
index 86401f5..b997f66 100755 (executable)
@@ -143,6 +143,7 @@ class t3lib_userAuth {
 
        var $forceSetCookie=0;                          // Will force the session cookie to be set everytime (lifetime must be 0)
        var $dontSetCookie=0;                           // Will prevent the setting of the session cookie (takes precedence over forceSetCookie)
 
        var $forceSetCookie=0;                          // Will force the session cookie to be set everytime (lifetime must be 0)
        var $dontSetCookie=0;                           // Will prevent the setting of the session cookie (takes precedence over forceSetCookie)
+       var $challengeStoredInCookie=0;         // If set, the challenge value will be stored in a session as well so the server can check that is was not forged.
 
 
        /**
 
 
        /**
@@ -311,6 +312,15 @@ class t3lib_userAuth {
                                                switch ($this->security_level)  {
                                                        case 'superchallenged':         // If superchallenged the password in the database ($tempuser[$this->userident_column]) must be a md5-hash of the original password.
                                                        case 'challenged':
                                                switch ($this->security_level)  {
                                                        case 'superchallenged':         // If superchallenged the password in the database ($tempuser[$this->userident_column]) must be a md5-hash of the original password.
                                                        case 'challenged':
+
+                                                               if ($this->challengeStoredInCookie)     {
+                                                                       session_start();
+                                                                       if ($_SESSION['login_challenge'] !== $F_chalvalue) {
+                                                                               $this->logoff();
+                                                                               return 'login';
+                                                                       }
+                                                               }
+
                                                                if (!strcmp($F_uident,md5($tempuser[$this->username_column].':'.$tempuser[$this->userident_column].':'.$F_chalvalue)))  {
                                                                        $OK = true;
                                                                };
                                                                if (!strcmp($F_uident,md5($tempuser[$this->username_column].':'.$tempuser[$this->userident_column].':'.$F_chalvalue)))  {
                                                                        $OK = true;
                                                                };
index 615c689..e42557a 100755 (executable)
@@ -258,7 +258,7 @@ define('TYPO3_extTableDef_script', $typo_db_extTableDef_script);
        //              - Kickstarter wizard (ext/kickstarter/modfunc1/class.tx_kickstarter_wizard.php)
        //              - Add character encoding for lang key in t3lib/class.t3lib_cs.php
        //              - Add "csh_[key]" language pack and setup all core ll-XML scripts to point to XML files inside of that.
        //              - Kickstarter wizard (ext/kickstarter/modfunc1/class.tx_kickstarter_wizard.php)
        //              - Add character encoding for lang key in t3lib/class.t3lib_cs.php
        //              - Add "csh_[key]" language pack and setup all core ll-XML scripts to point to XML files inside of that.
-define('TYPO3_languages', 'default|dk|de|no|it|fr|es|nl|cz|pl|si|fi|tr|se|pt|ru|ro|ch|sk|lt|is|hr|hu|gl|th|gr|hk|eu|bg|br|et|ar|he|ua|lv|jp|vn|ca|ba|kr');
+define('TYPO3_languages', 'default|dk|de|no|it|fr|es|nl|cz|pl|si|fi|tr|se|pt|ru|ro|ch|sk|lt|is|hr|hu|gl|th|gr|hk|eu|bg|br|et|ar|he|ua|lv|jp|vn|ca|ba|kr|eo');
 
        // Unsetting the configured values. Use of these are depreciated.
 unset($typo_db);
 
        // Unsetting the configured values. Use of these are depreciated.
 unset($typo_db);
index 0d30128..456f599 100755 (executable)
@@ -287,6 +287,7 @@ $TCA['be_users'] = Array (
                                        Array('Danish', 'dk'),
                                        Array('Dutch', 'nl'),
                                        Array('Estonian', 'et'),
                                        Array('Danish', 'dk'),
                                        Array('Dutch', 'nl'),
                                        Array('Estonian', 'et'),
+                                       Array('Esperanto', 'eo'),
                                        Array('Finnish', 'fi'),
                                        Array('French', 'fr'),
                                        Array('German', 'de'),
                                        Array('Finnish', 'fi'),
                                        Array('French', 'fr'),
                                        Array('German', 'de'),
index 4d87b85..319e6e8 100755 (executable)
@@ -205,12 +205,16 @@ class SC_index {
                        // Ending form:
                $this->content.= '
                        <input type="hidden" name="userident" value="" />
                        // Ending form:
                $this->content.= '
                        <input type="hidden" name="userident" value="" />
-                       <input type="hidden" name="challenge" value="'.md5(uniqid('')).'" />
+                       <input type="hidden" name="challenge" value="'.($challenge = md5(uniqid('').getmypid())).'" />
                        <input type="hidden" name="redirect_url" value="'.htmlspecialchars($this->redirectToURL).'" />
                        <input type="hidden" name="loginRefresh" value="'.htmlspecialchars($this->loginRefresh).'" />
                        '.$this->interfaceSelector_hidden.'
                        ';
 
                        <input type="hidden" name="redirect_url" value="'.htmlspecialchars($this->redirectToURL).'" />
                        <input type="hidden" name="loginRefresh" value="'.htmlspecialchars($this->loginRefresh).'" />
                        '.$this->interfaceSelector_hidden.'
                        ';
 
+                       // Save challenge value in session data (thanks to Bernhard Kraft for providing code):
+               session_start();
+               $_SESSION['login_challenge'] = $challenge;
+
                        // This moves focus to the right input field:
                $this->content.=$TBE_TEMPLATE->wrapScriptTags('
 
                        // This moves focus to the right input field:
                $this->content.=$TBE_TEMPLATE->wrapScriptTags('
 
index 9b77b5b..bf42984 100755 (executable)
@@ -2620,8 +2620,10 @@ if (version == "n3") {
                        $headers = array(
                                #'Last-Modified: '.gmdate('D, d M Y H:i:s T', $this->register['SYS_LASTCHANGED']),
                                #'ETag: '.md5($this->content),
                        $headers = array(
                                #'Last-Modified: '.gmdate('D, d M Y H:i:s T', $this->register['SYS_LASTCHANGED']),
                                #'ETag: '.md5($this->content),
-                               'Cache-Control: no-cache',
-                               'Pragma: no-cache',
+
+                               #'Cache-Control: no-cache',
+                               #'Pragma: no-cache',
+                               'Cache-Control: private',               // Changed to this according to Ole Tange, FI.dk
                        );
 
                        $this->isClientCachable = FALSE;
                        );
 
                        $this->isClientCachable = FALSE;
index 1d06303..7437e8f 100755 (executable)
@@ -53,6 +53,7 @@
                        <label index="lang_ca">Catalan</label>
                        <label index="lang_ba">Bosnian</label>
                        <label index="lang_kr">Korean</label>
                        <label index="lang_ca">Catalan</label>
                        <label index="lang_ba">Bosnian</label>
                        <label index="lang_kr">Korean</label>
+                       <label index="lang_eo">Esperanto</label>
                        <label index="default">Default</label>
                        <label index="simulate">Simulate backend user</label>
                        <label index="opening">Startup</label>
                        <label index="default">Default</label>
                        <label index="simulate">Simulate backend user</label>
                        <label index="opening">Startup</label>