From 84cdbefebd6adffbe285389df775c0c2f71c03b2 Mon Sep 17 00:00:00 2001 From: fbsanchez Date: Tue, 2 Jul 2019 16:22:23 +0200 Subject: [PATCH] cleanup and fix in location reload --- pandora_console/index.php | 365 ++++++++++++++++++++++++-------------- 1 file changed, 235 insertions(+), 130 deletions(-) diff --git a/pandora_console/index.php b/pandora_console/index.php index 3c95074171..e299d0869d 100755 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -1,17 +1,32 @@ $value) { if ($key == 1) { continue; @@ -162,12 +181,12 @@ if (!empty($config['https']) && empty($_SERVER['HTTPS'])) { $url = ui_get_full_url($query); // Prevent HTTP response splitting attacks - // http://en.wikipedia.org/wiki/HTTP_response_splitting + // http://en.wikipedia.org/wiki/HTTP_response_splitting. $url = str_replace("\n", '', $url); header('Location: '.$url); + // Always exit after sending location headers. exit; - // Always exit after sending location headers } // Pure mode (without menu, header and footer). @@ -188,20 +207,21 @@ echo ''."\n"; echo ''."\n"; -// This starts the page head. In the call back function, things from $page['head'] array will be processed into the head +// This starts the page head. In the callback function, +// $page['head'] array content will be processed into the head. ob_start('ui_process_page_head'); -// Enterprise main +// Enterprise main. enterprise_include('index.php'); echo ''; // This tag is included in the buffer passed to ui_process_page_head so -// technically it can be stripped +// technically it can be stripped. echo ''."\n"; require_once 'include/functions_themes.php'; @@ -212,13 +232,13 @@ $config['remote_addr'] = $_SERVER['REMOTE_ADDR']; $sec2 = get_parameter_get('sec2'); $sec2 = safe_url_extraclean($sec2); $page = $sec2; -// Reference variable for old time sake +// Reference variable for old time sake. $sec = get_parameter_get('sec'); $sec = safe_url_extraclean($sec); $process_login = false; -// Update user password +// Update user password. $change_pass = get_parameter_post('renew_password', 0); if ($change_pass == 1) { @@ -235,14 +255,14 @@ $searchPage = false; $search = get_parameter_get('head_search_keywords'); if (strlen($search) > 0) { $config['search_keywords'] = io_safe_input(trim(io_safe_output(get_parameter('keywords')))); - // If not search category providad, we'll use an agent search + // If not search category providad, we'll use an agent search. $config['search_category'] = get_parameter('search_category', 'all'); if (($config['search_keywords'] != 'Enter keywords to search') && (strlen($config['search_keywords']) > 0)) { $searchPage = true; } } -// Login process +// Login process. if (! isset($config['id_user'])) { // Clear error messages. unset($_COOKIE['errormsg']); @@ -250,50 +270,53 @@ if (! isset($config['id_user'])) { if (isset($_GET['login'])) { include_once 'include/functions_db.php'; - // Include it to use escape_string_sql function + // Include it to use escape_string_sql function. $config['auth_error'] = ''; - // Set this to the error message from the authorization mechanism + // Set this to the error message from the authorization mechanism. $nick = get_parameter_post('nick'); - // This is the variable with the login + // This is the variable with the login. $pass = get_parameter_post('pass'); - // This is the variable with the password + // This is the variable with the password. $nick = db_escape_string_sql($nick); $pass = db_escape_string_sql($pass); - // Since now, only the $pass variable are needed + // Since now, only the $pass variable are needed. unset($_GET['pass'], $_POST['pass'], $_REQUEST['pass']); - // If the auth_code exists, we assume the user has come through the double auth page + // If the auth_code exists, we assume the user has come from + // double authorization page. if (isset($_POST['auth_code'])) { $double_auth_success = false; - // The double authentication is activated and the user has surpassed the first step (the login). + // The double authentication is activated and the user has + // surpassed the first step (the login). // Now the authentication code provided will be checked. if (isset($_SESSION['prepared_login_da'])) { if (isset($_SESSION['prepared_login_da']['id_user']) && isset($_SESSION['prepared_login_da']['timestamp']) ) { - // The user has a maximum of 5 minutes to introduce the double auth code + // The user has a maximum of 5 minutes to introduce + // the double auth code. $dauth_period = SECONDS_2MINUTES; $now = time(); $dauth_time = $_SESSION['prepared_login_da']['timestamp']; if (($now - $dauth_period) < $dauth_time) { - // Nick + // Nick. $nick = $_SESSION['prepared_login_da']['id_user']; - // Code + // Code. $code = (string) get_parameter_post('auth_code'); if (!empty($code)) { $result = validate_double_auth_code($nick, $code); if ($result === true) { - // Double auth success + // Double auth success. $double_auth_success = true; } else { - // Screen + // Screen. $login_screen = 'double_auth'; - // Error message + // Error message. $config['auth_error'] = __('Invalid code'); if (!isset($_SESSION['prepared_login_da']['attempts'])) { @@ -303,9 +326,9 @@ if (! isset($config['id_user'])) { $_SESSION['prepared_login_da']['attempts']++; } } else { - // Screen + // Screen. $login_screen = 'double_auth'; - // Error message + // Error message. $config['auth_error'] = __("The code shouldn't be empty"); if (!isset($_SESSION['prepared_login_da']['attempts'])) { @@ -315,27 +338,27 @@ if (! isset($config['id_user'])) { $_SESSION['prepared_login_da']['attempts']++; } } else { - // Expired login + // Expired login. unset($_SESSION['prepared_login_da']); - // Error message + // Error message. $config['auth_error'] = __('Expired login'); } } else { - // If the code doesn't exist, remove the prepared login + // If the code doesn't exist, remove the prepared login. unset($_SESSION['prepared_login_da']); - // Error message + // Error message. $config['auth_error'] = __('Login error'); } - } - // If $_SESSION['prepared_login_da'] doesn't exist, the user have to do the login again - else { - // Error message + } else { + // If $_SESSION['prepared_login_da'] doesn't exist, the user + // must login again. + // Error message. $config['auth_error'] = __('Login error'); } - // Remove the authenticator code + // Remove the authenticator code. unset($_POST['auth_code'], $code); if (!$double_auth_success) { @@ -347,6 +370,8 @@ if (! isset($config['id_user'])) { $_SERVER['REMOTE_ADDR'] ); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -355,7 +380,8 @@ if (! isset($config['id_user'])) { $login_button_saml = get_parameter('login_button_saml', false); if (isset($double_auth_success) && $double_auth_success) { - // This values are true cause there are checked before complete the 2nd auth step + // This values are true cause there are checked before complete + // the 2nd auth step. $nick_in_db = $_SESSION['prepared_login_da']['id_user']; $expired_pass = false; } else if (($config['auth'] == 'saml') && ($login_button_saml)) { @@ -370,10 +396,13 @@ if (! isset($config['id_user'])) { $as->logout(); } } else { - // process_user_login is a virtual function which should be defined in each auth file. - // It accepts username and password. The rest should be internal to the auth file. - // The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it - // process_user_login should return false in case of errors or invalid login, the nickname if correct + // Function process_user_login is a virtual function which should be + // defined in each auth file. It accepts username and password. The + // rest should be internal to the auth file. The auth file can set + // $config["auth_error"] to an informative error output or reference + // their internal error messages to it process_user_login should + // return false in case of errors or invalid login, the nickname + // if correct. $nick_in_db = process_user_login($nick, $pass); $expired_pass = false; @@ -391,28 +420,34 @@ if (! isset($config['id_user'])) { include_once 'general/login_page.php'; db_pandora_audit('Password expired', 'Password expired: '.$nick, $nick); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); } - // Checks if password has expired + // Checks if password has expired. $check_status = check_pass_status($nick, $pass); switch ($check_status) { case PASSSWORD_POLICIES_FIRST_CHANGE: - // first change + // First change. case PASSSWORD_POLICIES_EXPIRED: - // pass expired + // Pass expired. $expired_pass = true; login_change_password($nick, '', $check_status); break; + + default: + // Ignore. + break; } } } if (($nick_in_db !== false) && $expired_pass) { - // login ok and password has expired + // Login ok and password has expired. include_once 'general/login_page.php'; db_pandora_audit( 'Password expired', @@ -420,30 +455,38 @@ if (! isset($config['id_user'])) { $nick ); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); } else if (($nick_in_db !== false) && (!$expired_pass)) { - // login ok and password has not expired - // Double auth check - if ((!isset($double_auth_success) || !$double_auth_success) && is_double_auth_enabled($nick_in_db)) { - // Store this values in the session to know if the user login was correct + // Login ok and password has not expired. + // Double auth check. + if ((!isset($double_auth_success) + || !$double_auth_success) + && is_double_auth_enabled($nick_in_db) + ) { + // Store this values in the session to know if the user login + // was correct. $_SESSION['prepared_login_da'] = [ 'id_user' => $nick_in_db, 'timestamp' => time(), 'attempts' => 0, ]; - // Load the page to introduce the double auth code + // Load the page to introduce the double auth code. $login_screen = 'double_auth'; include_once 'general/login_page.php'; while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); } - // login ok and password has not expired + // Login ok and password has not expired. $process_login = true; if (is_user_admin($nick)) { @@ -455,7 +498,7 @@ if (! isset($config['id_user'])) { if (!isset($_GET['sec2']) && !isset($_GET['sec'])) { // Avoid the show homepage when the user go to // a specific section of pandora - // for example when timeout the sesion + // for example when timeout the sesion. unset($_GET['sec2']); $_GET['sec'] = 'general/logon_ok'; $home_page = ''; @@ -486,6 +529,7 @@ if (! isset($config['id_user'])) { break; case 'Default': + default: $_GET['sec'] = 'general/logon_ok'; break; @@ -521,11 +565,14 @@ if (! isset($config['id_user'])) { $_SESSION['id_usuario'] = $nick_in_db; $config['id_user'] = $nick_in_db; - // Check if connection goes through F5 balancer. If it does, then don't call config_prepare_session() or user will be back to login all the time + // Check if connection goes through F5 balancer. If it does, then + // don't call config_prepare_session() or user will be back to login + // all the time. $prepare_session = true; foreach ($_COOKIE as $key => $value) { if (preg_match('/BIGipServer*/', $key)) { $prepare_session = false; + break; } } @@ -534,9 +581,13 @@ if (! isset($config['id_user'])) { } if (is_user_admin($config['id_user'])) { - // PHP configuration values - $PHPupload_max_filesize = config_return_in_bytes(ini_get('upload_max_filesize')); - $PHPmemory_limit = config_return_in_bytes(ini_get('memory_limit')); + // PHP configuration values. + $PHPupload_max_filesize = config_return_in_bytes( + ini_get('upload_max_filesize') + ); + $PHPmemory_limit = config_return_in_bytes( + ini_get('memory_limit') + ); $PHPmax_execution_time = ini_get('max_execution_time'); if ($PHPmax_execution_time !== '0') { @@ -571,43 +622,60 @@ if (! isset($config['id_user'])) { $l10n = null; if (file_exists('./include/languages/'.$user_language.'.mo')) { - $l10n = new gettext_reader(new CachedFileReader('./include/languages/'.$user_language.'.mo')); + $cacheFileReader = new CachedFileReader( + './include/languages/'.$user_language.'.mo' + ); + $l10n = new gettext_reader($cacheFileReader); $l10n->load_tables(); } } else { - // login wrong + // Login wrong. $blocked = false; - if ((!is_user_admin($nick) || $config['enable_pass_policy_admin']) && file_exists(ENTERPRISE_DIR.'/load_enterprise.php')) { + if ((!is_user_admin($nick) || $config['enable_pass_policy_admin']) + && file_exists(ENTERPRISE_DIR.'/load_enterprise.php') + ) { $blocked = login_check_blocked($nick); } if (!$blocked) { if (file_exists(ENTERPRISE_DIR.'/load_enterprise.php')) { + // Checks failed attempts. login_check_failed($nick); - // Checks failed attempts } $login_failed = true; include_once 'general/login_page.php'; - db_pandora_audit('Logon Failed', 'Invalid login: '.$nick, $nick); + db_pandora_audit( + 'Logon Failed', + 'Invalid login: '.$nick, + $nick + ); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); } else { include_once 'general/login_page.php'; - db_pandora_audit('Logon Failed', 'Invalid login: '.$nick, $nick); + db_pandora_audit( + 'Logon Failed', + 'Invalid login: '.$nick, + $nick + ); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); } } - // Form the url + // Form the url. $query_params_redirect = $_GET; - // Visual console do not want sec2 + // Visual console do not want sec2. if ($home_page == 'Visual console') { unset($query_params_redirect['sec2']); } @@ -621,15 +689,19 @@ if (! isset($config['id_user'])) { $redirect_url .= '&'.safe_url_extraclean($key).'='.safe_url_extraclean($value); } - header('Location: '.$config['homeurl'].'index.php'.$redirect_url); + header('Location: '.ui_get_full_url('index.php'.$redirect_url)); exit; // Always exit after sending location headers. } else if (isset($_GET['loginhash'])) { - // Hash login process + // Hash login process. $loginhash_data = get_parameter('loginhash_data', ''); $loginhash_user = str_rot13(get_parameter('loginhash_user', '')); - if ($config['loginhash_pwd'] != '' && $loginhash_data == md5($loginhash_user.io_output_password($config['loginhash_pwd']))) { + if ($config['loginhash_pwd'] != '' + && $loginhash_data == md5( + $loginhash_user.io_output_password($config['loginhash_pwd']) + ) + ) { db_logon($loginhash_user, $_SERVER['REMOTE_ADDR']); $_SESSION['id_usuario'] = $loginhash_user; $config['id_user'] = $loginhash_user; @@ -637,6 +709,8 @@ if (! isset($config['id_user'])) { include_once 'general/login_page.php'; db_pandora_audit('Logon Failed (loginhash', '', 'system'); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -758,7 +832,7 @@ if (! isset($config['id_user'])) { $body .= '

'; $body .= __('Please click the link below to reset your password'); $body .= '

'; - $body .= ''.__('Reset your password').''; + $body .= ''.__('Reset your password').''; $body .= '

'; $body .= get_product_name(); $body .= '

'; @@ -781,6 +855,8 @@ if (! isset($config['id_user'])) { } while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -790,11 +866,20 @@ if (! isset($config['id_user'])) { $loginhash_data = get_parameter('loginhash_data', ''); $loginhash_user = str_rot13(get_parameter('loginhash_user', '')); $iduser = $_SESSION['id_usuario']; - // logoff_db ($iduser, $_SERVER["REMOTE_ADDR"]); check why is not available + + /* + * Check why is not available. + * logoff_db ($iduser, $_SERVER["REMOTE_ADDR"]); + */ + unset($_SESSION['id_usuario']); unset($iduser); - if ($config['loginhash_pwd'] != '' && $loginhash_data == md5($loginhash_user.io_output_password($config['loginhash_pwd']))) { + if ($config['loginhash_pwd'] != '' + && $loginhash_data == md5( + $loginhash_user.io_output_password($config['loginhash_pwd']) + ) + ) { db_logon($loginhash_user, $_SERVER['REMOTE_ADDR']); $_SESSION['id_usuario'] = $loginhash_user; $config['id_user'] = $loginhash_user; @@ -802,6 +887,8 @@ if (! isset($config['id_user'])) { include_once 'general/login_page.php'; db_pandora_audit('Logon Failed (loginhash', '', 'system'); while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -814,7 +901,7 @@ if (! isset($config['id_user'])) { '*' ); if ($user_in_db == false) { - // logout + // Logout. $_REQUEST = []; $_GET = []; $_POST = []; @@ -825,6 +912,8 @@ if (! isset($config['id_user'])) { unset($iduser); include_once 'general/login_page.php'; while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -832,7 +921,7 @@ if (! isset($config['id_user'])) { if (((bool) $user_in_db['is_admin'] === false) && ((bool) $user_in_db['not_login'] === true) ) { - // logout + // Logout. $_REQUEST = []; $_GET = []; $_POST = []; @@ -843,6 +932,8 @@ if (! isset($config['id_user'])) { unset($iduser); include_once 'general/login_page.php'; while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -850,12 +941,12 @@ if (! isset($config['id_user'])) { } } -// Enterprise support +// Enterprise support. if (file_exists(ENTERPRISE_DIR.'/load_enterprise.php')) { include_once ENTERPRISE_DIR.'/load_enterprise.php'; } -// Log off +// Log off. if (isset($_GET['bye'])) { include 'general/logoff.php'; $iduser = $_SESSION['id_usuario']; @@ -873,6 +964,8 @@ if (isset($_GET['bye'])) { } while (@ob_end_flush()) { + // Dumping... + continue; } exit(''); @@ -880,10 +973,11 @@ if (isset($_GET['bye'])) { clear_pandora_error_for_header(); -// ---------------------------------------------------------------------- -// EXTENSIONS -// ---------------------------------------------------------------------- /* + * ---------------------------------------------------------------------- + * EXTENSIONS + * ---------------------------------------------------------------------- + * * Load the basic configurations of extension and add extensions into menu. * Load here, because if not, some extensions not load well, I don't why. */ @@ -892,7 +986,7 @@ $config['logged'] = false; extensions_load_extensions($process_login); if ($process_login) { - // Call all extensions login function + // Call all extensions login function. extensions_call_login_function(); unset($_SESSION['new_update']); @@ -983,7 +1077,7 @@ if (get_parameter('login', 0) !== 0) { } } -// Header +// Header. if ($config['pure'] == 0) { echo '

'; - // main_pure + // Main pure. } echo '
'; @@ -1202,16 +1299,17 @@ require_once 'include/functions_clippy.php'; clippy_start($sec2); while (@ob_end_flush()) { - // Dump. + // Dumping... + continue; } db_print_database_debug(); echo ''; $run_time = format_numeric((microtime(true) - $config['start_time']), 3); -echo "\n\n"; +echo "\n\n"; -// Values from PHP to be recovered from JAVASCRIPT +// Values from PHP to be recovered from JAVASCRIPT. require 'include/php_to_js_values.php'; @@ -1219,12 +1317,13 @@ require 'include/php_to_js_values.php';