Replace deprecated function split()

[Github/YOURLS.git] / includes / functions-auth.php

<?php\r
// Check for valid user. Returns true or an error message\r
function yourls_is_valid_user() {\r
        static $valid = false;\r
        \r
        if( $valid )\r
                return true;\r
                \r
        $unfiltered_valid = false;\r
\r
        // Logout request\r
        if( isset( $_GET['action'] ) && $_GET['action'] == 'logout' ) {\r
                yourls_do_action( 'logout' );\r
                yourls_store_cookie( null );\r
                return 'Logged out successfully';\r
        }\r
        \r
        // Check cookies or login request. Login form has precedence.\r
        global $yourls_user_passwords;\r
        \r
        yourls_do_action( 'pre_login' );\r
\r
        // Determine auth method and check credentials\r
        if\r
                // API only: Secure (no login or pwd) and time limited token\r
                // ?timestamp=12345678&signature=md5(totoblah12345678)\r
                ( yourls_is_API() &&\r
                  isset( $_REQUEST['timestamp'] ) && !empty($_REQUEST['timestamp'] ) &&\r
                  isset( $_REQUEST['signature'] ) && !empty($_REQUEST['signature'] )\r
                )\r
                {\r
                        yourls_do_action( 'pre_login_signature_timestamp' );\r
                        $unfiltered_valid = yourls_check_signature_timestamp();\r
                }\r
                \r
        elseif\r
                // API only: Secure (no login or pwd)\r
                // ?signature=md5(totoblah)\r
                ( yourls_is_API() &&\r
                  !isset( $_REQUEST['timestamp'] ) &&\r
                  isset( $_REQUEST['signature'] ) && !empty( $_REQUEST['signature'] )\r
                )\r
                {\r
                        yourls_do_action( 'pre_login_signature' );\r
                        $unfiltered_valid = yourls_check_signature();\r
                }\r
        \r
        elseif\r
                // API or normal: login with username & pwd\r
                ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )\r
                  && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password']  ) )\r
                {\r
                        yourls_do_action( 'pre_login_username_password' );\r
                        $unfiltered_valid = yourls_check_username_password();\r
                }\r
        \r
        elseif\r
                // Normal only: cookies\r
                ( !yourls_is_API() && \r
                  isset( $_COOKIE['yourls_username'] ) && isset( $_COOKIE['yourls_password'] ) )\r
                {\r
                        yourls_do_action( 'pre_login_cookie' );\r
                        $unfiltered_valid = yourls_check_auth_cookie();\r
                }\r
\r
        $valid = yourls_apply_filter( 'is_valid_user', $unfiltered_valid );\r
\r
        // Login for the win!\r
        if ( $valid ) {\r
                yourls_do_action( 'login' );\r
                // (Re)store encrypted cookie if needed and tell it's ok\r
                if ( !yourls_is_API() && $unfiltered_valid ) \r
                        yourls_store_cookie( YOURLS_USER );\r
                return true;\r
        }\r
        \r
        // Login failed\r
        yourls_do_action( 'login_failed' );\r
\r
        if ( isset( $_REQUEST['username'] ) || isset( $_REQUEST['password'] ) ) {\r
                return 'Invalid username or password';\r
        } else {\r
                return 'Please log in';\r
        }\r
}\r
\r
// Check auth against list of login=>pwd. Sets user if applicable, returns bool\r
function yourls_check_username_password() {\r
        global $yourls_user_passwords;\r
        if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $yourls_user_passwords[ $_REQUEST['username'] ], $_REQUEST['password'] ) ) {\r
                yourls_set_user( $_REQUEST['username'] );\r
                return true;\r
        }\r
        return false;\r
}\r
\r
// Check a REQUEST password sent in plain text against stored password which can be a salted hash\r
function yourls_check_password_hash( $stored, $plaintext ) {\r
        if ( substr( $stored, 0, 4 ) == 'md5:' and strlen( $stored ) == 42 ) {\r
                // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:<md5($r.'thepassword')>"\r
                // And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything\r
                list( $temp, $salt, $md5 ) = explode( ':', $stored );\r
                return( $stored == 'md5:'.$salt.':'.md5( $salt.$plaintext ) );\r
        } else {\r
                // Password was sent in clear\r
                yourls_add_notice( '<strong>Notice</strong>: your password is stored as clear text in your <tt>config.php</tt>.\r
                Did you know you can easily improve the security of your YOURLS install by <strong>encrypting</strong> your password?\r
                See <a href="http://yourls.org/userpassword">UsernamePassword</a> for details', 'notice' );\r
                return( $stored == $plaintext );\r
        }\r
}\r
\r
\r
// Check auth against encrypted COOKIE data. Sets user if applicable, returns bool\r
function yourls_check_auth_cookie() {\r
        global $yourls_user_passwords;\r
        foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
                if( \r
                        yourls_salt( $valid_user ) == $_COOKIE['yourls_username']\r
                        && yourls_salt( $valid_password ) == $_COOKIE['yourls_password'] \r
                ) {\r
                        yourls_set_user( $valid_user );\r
                        return true;\r
                }\r
        }\r
        return false;\r
}\r
\r
// Check auth against signature and timestamp. Sets user if applicable, returns bool\r
function yourls_check_signature_timestamp() {\r
        // Timestamp in PHP : time()\r
        // Timestamp in JS: parseInt(new Date().getTime() / 1000)\r
        global $yourls_user_passwords;\r
        foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
                if (\r
                        (\r
                                md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature']\r
                                or\r
                                md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature']\r
                        )\r
                        &&\r
                        yourls_check_timestamp( $_REQUEST['timestamp'] )\r
                        ) {\r
                        yourls_set_user( $valid_user );\r
                        return true;\r
                }\r
        }\r
        return false;\r
}\r
\r
// Check auth against signature. Sets user if applicable, returns bool\r
function yourls_check_signature() {\r
        global $yourls_user_passwords;\r
        foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
                if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) {\r
                        yourls_set_user( $valid_user );\r
                        return true;\r
                }\r
        }\r
        return false;\r
}\r
\r
// Generate secret signature hash\r
function yourls_auth_signature( $username = false ) {\r
        if( !$username && defined('YOURLS_USER') ) {\r
                $username = YOURLS_USER;\r
        }\r
        return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' );\r
}\r
\r
// Check if timestamp is not too old\r
function yourls_check_timestamp( $time ) {\r
        $now = time();\r
        // Allow timestamp to be a little in the future or the past -- see Issue 766\r
        return yourls_apply_filter( 'check_timestamp', abs( $now - $time ) < YOURLS_NONCE_LIFE, $time );\r
}\r
\r
// Store new cookie. No $user will delete the cookie.\r
function yourls_store_cookie( $user = null ) {\r
        if( !$user ) {\r
                $pass = null;\r
                $time = time() - 3600;\r
        } else {\r
                global $yourls_user_passwords;\r
                if( isset($yourls_user_passwords[$user]) ) {\r
                        $pass = $yourls_user_passwords[$user];\r
                } else {\r
                        die( 'Stealing cookies?' ); // This should never happen\r
                }\r
                $time = time() + YOURLS_COOKIE_LIFE;\r
        }\r
        \r
        $domain   = yourls_apply_filter( 'setcookie_domain',   parse_url( YOURLS_SITE, 1 ) );\r
        $secure   = yourls_apply_filter( 'setcookie_secure',   yourls_is_ssl() );\r
        $httponly = yourls_apply_filter( 'setcookie_httponly', true );\r
                \r
        if ( !headers_sent() ) {\r
                // Set httponly if the php version is >= 5.2.0\r
                if( version_compare( phpversion(), '5.2.0', 'ge' ) ) {\r
                        setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure, $httponly );\r
                        setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure, $httponly );\r
                } else {\r
                        setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure );\r
                        setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure );\r
                }\r
        }\r
}\r
\r
// Set user name\r
function yourls_set_user( $user ) {\r
        if( !defined( 'YOURLS_USER' ) )\r
                define( 'YOURLS_USER', $user );\r
}\r