[pmwiki-users] authuser forcing Author name stopped working?
H. Fox
haganfox at gmail.com
Fri Jul 8 00:00:17 CDT 2005
On 7/7/05, Neil Herber <nospam at eton.ca> wrote:
> At 2005-07-07 09:02 PM -0700, H. Fox is rumored to have said:
> >Oops. This might be better.
> >
> > if ($action == 'edit') @session_start();
> > if (@$_SESSION['authid']) {
> > $Author=@$_SESSION['authid'];
> > } else if (@$_POST['authid']) {
> > $Author = $_POST['authid'];
> > setcookie('author', $Author, 0, '/');
> > } else if (@$_COOKIE['author']) {
> > $Author = $_COOKIE['author'];
> > }
> >
> >Hagan
>
> I am disappointed to report that neither one prevents author spoofing. What
> I know about PHP fits on the back of a postage stamp, but my gut feel is
> that an authid test would have to be performed by authuser and can't be
> tacked on after the fact.
>
> It needs to do something like:
>
> if user name on form exists in .htpasswd
> if passwords match
> user is authenticated, set author name
> else
> user is a spoofer, refuse entry
> endif
authuser.php does this automatically.
> else
> if password matches the shared password
> user is unauthenticated, but we will accept the author name
> else
> user is a complete bozo, refuse entry
> endif
> endif
In my testing it did exactly that.
I didn't try leaving the Name field blank, so I don't know how to
check for the semi-bozo who knows the password but doesn't provide a
name.
Maybe try this line before calling authuser.php:
if (@$_POST['authid'] == '') unset @$_POST['authpw'];
Did you clear your cookies for the test? (The `zapcookies' bookmarklet
works great for that, btw).
Did you notice the two lines missing. (Almost certainly so come to
think of it.) Here's the whole thing:
$AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
include_once("$FarmD/scripts/authuser.php");
if ($action == 'edit') @session_start();
if (@$_SESSION['authid']) {
$Author=@$_SESSION['authid'];
} else if (@$_POST['authid']) {
$Author = $_POST['authid'];
setcookie('author', $Author, 0, '/');
} else if (@$_COOKIE['author']) {
$Author = $_COOKIE['author'];
}
I can't test right now, but I'll be back in a couple of hours and I'll
try again then.
Hagan
> Neil
>
> Neil Herber
> Corporate info at http://www.eton.ca/
> Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
> Tel: (613) 829-4668
>
>
More information about the pmwiki-users
mailing list