summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--web/html/index.php98
-rw-r--r--web/lib/aur.inc71
-rw-r--r--web/template/header.php28
3 files changed, 95 insertions, 102 deletions
diff --git a/web/html/index.php b/web/html/index.php
index 2a1a489..99cccbc 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -2,78 +2,12 @@
set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../lang');
-include("index_po.inc");
+# include("index_po.inc");
include("pkgfuncs_po.inc"); # Add to handle the i18n of My Packages
include("aur.inc");
set_lang();
check_sid();
-# Need to do the authentication prior to sending any HTML (including header)
-#
-$login_error = "";
-if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
- # Attempting to log in
- #
- if (!isset($_REQUEST["user"])) {
- $login_error = __("You must supply a username.");
- }
- if (!isset($_REQUEST["pass"])) {
- $login_error = __("You must supply a password.");
- }
- if (!$login_error) {
- # Try and authenticate the user
- #
-
- #md5 hash it
- $_REQUEST["pass"] = md5($_REQUEST["pass"]);
- $dbh = db_connect();
- $q = "SELECT ID, Suspended FROM Users ";
- $q.= "WHERE Username = '" . mysql_real_escape_string($_REQUEST["user"]) . "' ";
- $q.= "AND Passwd = '" . mysql_real_escape_string($_REQUEST["pass"]) . "'";
- $result = db_query($q, $dbh);
- if (!$result) {
- $login_error = __("Error looking up username, %s.",
- array(htmlspecialchars($_REQUEST["user"])));
- } else {
- $row = mysql_fetch_row($result);
- if (empty($row)) {
- $login_error = __("Incorrect password for username, %s.",
- array(htmlspecialchars($_REQUEST["user"])));
- } elseif ($row[1]) {
- $login_error = __("Your account has been suspended.");
- }
- }
-
- if (!$login_error) {
- # Account looks good. Generate a SID and store it.
- #
- $logged_in = 0;
- $num_tries = 0;
- while (!$logged_in && $num_tries < 5) {
- $new_sid = new_sid();
- $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
- $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
- $result = db_query($q, $dbh);
- # Query will fail if $new_sid is not unique
- #
- if ($result) {
- $logged_in = 1;
- break;
- }
- $num_tries++;
- }
- if ($logged_in) {
- # set our SID cookie
- #
- setcookie("AURSID", $new_sid, 0, "/");
- header("Location: /index.php");
- } else {
- $login_error = __("Error trying to generate session id.");
- }
- }
- }
-}
-
# Any cookies have been sent, can now display HTML
#
html_header();
@@ -97,36 +31,6 @@ print __("The most popular packages will be provided as binary packages in [comm
print "</td>";
print "<td class='boxSoft' valign='top'>";
-# Now present the user login stuff
-if (!isset($_COOKIE["AURSID"])) {
- # the user is not logged in, give them login widgets
- #
- if ($login_error) {
- print "<span class='error'>" . $login_error . "</span><br />\n";
- }
- print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n";
- print "<form action='/index.php' method='post'>\n";
- print "<tr>\n";
- print "<td>".__("Username:")."</td>";
- print "<td><input type='text' name='user' size='30' maxlength='64'></td>";
- print "</tr>\n";
- print "<tr>\n";
- print "<td>".__("Password:")."</td>";
- print "<td><input type='password' name='pass' size='30' maxlength='32'></td>";
- print "</tr>\n";
- print "<tr>\n";
- print "<td colspan='2' align='right'>&nbsp;<br />";
- print "<input type='submit' class='button'";
- print " value='".__("Login")."'></td>";
- print "</tr>\n";
- print "</form>\n";
- print "</table>\n";
-
-} else {
- print __("Logged-in as: %h%s%h",
- array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
-}
-
# MAIN: Bottom Left
print "</td>";
print "</tr>";
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index 8473fae..4715648 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -7,6 +7,7 @@ header('Pragma: no-cache');
include_once("version.inc");
include_once("config.inc");
include_once("aur_po.inc");
+include_once("index_po.inc");
# TODO do we need to set the domain on cookies? I seem to remember some
# security concerns about not using domains - but it's not like
@@ -92,6 +93,8 @@ function check_sid() {
# clear out the hacker's cookie, and send them to a naughty page
#
setcookie("AURSID", "", time() - (60*60*24*30), "/");
+ # I think it's probably safe to do the same as below with this
+ # but not really vital at this point
header("Location: /hacker.php");
} elseif ($failed == 2) {
@@ -104,8 +107,7 @@ function check_sid() {
db_query($q, $dbh);
setcookie("AURSID", "", time() - (60*60*24*30), "/");
- header("Location: /timeout.php");
-
+ unset($_COOKIE['AURSID']);
} else {
# still logged in and haven't reached the timeout, go ahead
# and update the idle timestamp
@@ -336,9 +338,74 @@ function set_lang() {
function html_header() {
global $_SERVER;
global $_COOKIE;
+ global $_POST;
global $LANG;
global $SUPPORTED_LANGS;
+ $login_error = "";
+ if (isset($_POST["user"]) || isset($_POST["pass"])) {
+ # Attempting to log in
+ #
+ if (!isset($_POST["user"])) {
+ $login_error = __("You must supply a username.");
+ }
+ if (!isset($_POST["pass"])) {
+ $login_error = __("You must supply a password.");
+ }
+ if (!$login_error) {
+ # Try and authenticate the user
+ #
+
+ #md5 hash it
+ $_POST["pass"] = md5($_POST["pass"]);
+ $dbh = db_connect();
+ $q = "SELECT ID, Suspended FROM Users ";
+ $q.= "WHERE Username = '" . mysql_real_escape_string($_POST["user"]) . "' ";
+ $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
+ $result = db_query($q, $dbh);
+ if (!$result) {
+ $login_error = __("Error looking up username, %s.",
+ array(htmlspecialchars($_POST["user"])));
+ } else {
+ $row = mysql_fetch_row($result);
+ if (empty($row)) {
+ $login_error = __("Incorrect password for username, %s.",
+ array(htmlspecialchars($_POST["user"])));
+ } elseif ($row[1]) {
+ $login_error = __("Your account has been suspended.");
+ }
+ }
+
+ if (!$login_error) {
+ # Account looks good. Generate a SID and store it.
+ #
+ $logged_in = 0;
+ $num_tries = 0;
+ while (!$logged_in && $num_tries < 5) {
+ $new_sid = new_sid();
+ $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
+ $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
+ $result = db_query($q, $dbh);
+ # Query will fail if $new_sid is not unique
+ #
+ if ($result) {
+ $logged_in = 1;
+ break;
+ }
+ $num_tries++;
+ }
+ if ($logged_in) {
+ # set our SID cookie
+ #
+ setcookie("AURSID", $new_sid, 0, "/");
+ $_COOKIE['AURSID'] = $new_sid;
+ } else {
+ $login_error = __("Error trying to generate session id.");
+ }
+ }
+ }
+ }
+
include('header.php');
return;
}
diff --git a/web/template/header.php b/web/template/header.php
index a931f57..5230dc5 100644
--- a/web/template/header.php
+++ b/web/template/header.php
@@ -65,8 +65,30 @@ foreach ($SUPPORTED_LANGS as $lang => $lang_name) {
<li>Lang: </li>
</ul>
</div>
- </div>
- <div id="maincontent">
- <!-- Start of main content -->
+ <br />
+ <div style="text-align: right; padding-right: 10px">
+<?php
+if (!isset($_COOKIE["AURSID"])) {
+ if ($login_error) {
+ print "<span class='error'>" . $login_error . "</span><br />\n";
+ }
+?>
+ <form method='post'>
+<?php print __("Username:"); ?>
+ <input type='text' name='user' size='30' maxlength='64'>
+<?php print __("Password:"); ?>
+ <input type='password' name='pass' size='30' maxlength='32'>
+ <input type='submit' class='button' value='<?php print __("Login"); ?>'>
+ </form>
+<?php
+} else {
+ print __("Logged-in as: %h%s%h",
+ array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
+}
+?>
+ </div>
+ </div>
+ <div id="maincontent">
+ <!-- Start of main content -->