forked from Wavyzz/dolibarr
529 lines
17 KiB
PHP
529 lines
17 KiB
PHP
<?php
|
|
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
|
|
* Copyright (C) 2008-2017 Regis Houssin <regis.houssin@inodbox.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
* or see http://www.gnu.org/
|
|
*/
|
|
|
|
/**
|
|
* \file htdocs/core/lib/security2.lib.php
|
|
* \ingroup core
|
|
* \brief Set of function used for dolibarr security (not common functions).
|
|
* Warning, this file must not depends on other library files, except function.lib.php
|
|
* because it is used at low code level.
|
|
*/
|
|
|
|
|
|
/**
|
|
* Return user/group account of web server
|
|
*
|
|
* @param string $mode 'user' or 'group'
|
|
* @return string Return user or group of web server
|
|
*/
|
|
function dol_getwebuser($mode)
|
|
{
|
|
$t='?';
|
|
if ($mode=='user') $t=getenv('APACHE_RUN_USER'); // $_ENV['APACHE_RUN_USER'] is empty
|
|
if ($mode=='group') $t=getenv('APACHE_RUN_GROUP');
|
|
return $t;
|
|
}
|
|
|
|
/**
|
|
* Return a login if login/pass was successfull
|
|
*
|
|
* @param string $usertotest Login value to test
|
|
* @param string $passwordtotest Password value to test
|
|
* @param string $entitytotest Instance of data we must check
|
|
* @param array $authmode Array list of selected authentication mode array('http', 'dolibarr', 'xxx'...)
|
|
* @return string Login or ''
|
|
*/
|
|
function checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode)
|
|
{
|
|
global $conf,$langs;
|
|
//global $dolauthmode; // To return authentication finally used
|
|
|
|
// Check parameters
|
|
if ($entitytotest == '') $entitytotest=1;
|
|
|
|
dol_syslog("checkLoginPassEntity usertotest=".$usertotest." entitytotest=".$entitytotest." authmode=".join(',', $authmode));
|
|
$login = '';
|
|
|
|
// Validation of login/pass/entity with standard modules
|
|
if (empty($login))
|
|
{
|
|
$test=true;
|
|
foreach($authmode as $mode)
|
|
{
|
|
if ($test && $mode && ! $login)
|
|
{
|
|
// Validation of login/pass/entity for mode $mode
|
|
$mode=trim($mode);
|
|
$authfile='functions_'.$mode.'.php';
|
|
$fullauthfile='';
|
|
|
|
$dirlogin=array_merge(array("/core/login"), (array) $conf->modules_parts['login']);
|
|
foreach($dirlogin as $reldir)
|
|
{
|
|
$dir=dol_buildpath($reldir, 0);
|
|
$newdir=dol_osencode($dir);
|
|
|
|
// Check if file found (do not use dol_is_file to avoid loading files.lib.php)
|
|
$tmpnewauthfile = $newdir.(preg_match('/\/$/', $newdir)?'':'/').$authfile;
|
|
if (is_file($tmpnewauthfile)) $fullauthfile=$tmpnewauthfile;
|
|
}
|
|
|
|
$result=false;
|
|
if ($fullauthfile) $result=include_once $fullauthfile;
|
|
if ($fullauthfile && $result)
|
|
{
|
|
// Call function to check user/password
|
|
$function='check_user_password_'.$mode;
|
|
$login=call_user_func($function, $usertotest, $passwordtotest, $entitytotest);
|
|
if ($login) // Login is successfull
|
|
{
|
|
$test=false; // To stop once at first login success
|
|
$conf->authmode=$mode; // This properties is defined only when logged to say what mode was successfully used
|
|
$dol_tz=GETPOST('tz');
|
|
$dol_dst=GETPOST('dst');
|
|
$dol_screenwidth=GETPOST('screenwidth');
|
|
$dol_screenheight=GETPOST('screenheight');
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dol_syslog("Authentification ko - failed to load file '".$authfile."'", LOG_ERR);
|
|
sleep(1);
|
|
// Load translation files required by the page
|
|
$langs->loadLangs(array('other', 'main', 'errors'));
|
|
|
|
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorFailedToLoadLoginFileForMode", $mode);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return $login;
|
|
}
|
|
|
|
|
|
if (! function_exists('dol_loginfunction'))
|
|
{
|
|
/**
|
|
* Show Dolibarr default login page.
|
|
* Part of this code is also duplicated into main.inc.php::top_htmlhead
|
|
*
|
|
* @param Translate $langs Lang object (must be initialized by a new).
|
|
* @param Conf $conf Conf object
|
|
* @param Societe $mysoc Company object
|
|
* @return void
|
|
*/
|
|
function dol_loginfunction($langs, $conf, $mysoc)
|
|
{
|
|
global $dolibarr_main_demo,$db;
|
|
global $smartphone,$hookmanager;
|
|
|
|
$langs->loadLangs(array("main","other","help","admin"));
|
|
|
|
// Instantiate hooks of thirdparty module only if not already define
|
|
$hookmanager->initHooks(array('mainloginpage'));
|
|
|
|
$main_authentication=$conf->file->main_authentication;
|
|
|
|
$session_name=session_name(); // Get current session name
|
|
|
|
$dol_url_root = DOL_URL_ROOT;
|
|
|
|
// Title
|
|
$appli=constant('DOL_APPLICATION_TITLE');
|
|
$title=$appli.' '.constant('DOL_VERSION');
|
|
if (! empty($conf->global->MAIN_APPLICATION_TITLE)) $title=$conf->global->MAIN_APPLICATION_TITLE;
|
|
$titletruedolibarrversion=constant('DOL_VERSION'); // $title used by login template after the @ to inform of true Dolibarr version
|
|
|
|
// Note: $conf->css looks like '/theme/eldy/style.css.php'
|
|
/*
|
|
$conf->css = "/theme/".(GETPOST('theme','alpha')?GETPOST('theme','alpha'):$conf->theme)."/style.css.php";
|
|
$themepath=dol_buildpath($conf->css,1);
|
|
if (! empty($conf->modules_parts['theme'])) // Using this feature slow down application
|
|
{
|
|
foreach($conf->modules_parts['theme'] as $reldir)
|
|
{
|
|
if (file_exists(dol_buildpath($reldir.$conf->css, 0)))
|
|
{
|
|
$themepath=dol_buildpath($reldir.$conf->css, 1);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
$conf_css = $themepath."?lang=".$langs->defaultlang;
|
|
*/
|
|
|
|
// Select templates dir
|
|
if (! empty($conf->modules_parts['tpl'])) // Using this feature slow down application
|
|
{
|
|
$dirtpls=array_merge($conf->modules_parts['tpl'], array('/core/tpl/'));
|
|
foreach($dirtpls as $reldir)
|
|
{
|
|
$tmp=dol_buildpath($reldir.'login.tpl.php');
|
|
if (file_exists($tmp)) { $template_dir=preg_replace('/login\.tpl\.php$/', '', $tmp); break; }
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$template_dir = DOL_DOCUMENT_ROOT."/core/tpl/";
|
|
}
|
|
|
|
// Set cookie for timeout management
|
|
$prefix=dol_getprefix('');
|
|
$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
|
|
if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", null, false, true);
|
|
|
|
if (GETPOST('urlfrom', 'alpha')) $_SESSION["urlfrom"]=GETPOST('urlfrom', 'alpha');
|
|
else unset($_SESSION["urlfrom"]);
|
|
|
|
if (! GETPOST("username", 'alpha')) $focus_element='username';
|
|
else $focus_element='password';
|
|
|
|
$demologin='';
|
|
$demopassword='';
|
|
if (! empty($dolibarr_main_demo))
|
|
{
|
|
$tab=explode(',', $dolibarr_main_demo);
|
|
$demologin=$tab[0];
|
|
$demopassword=$tab[1];
|
|
}
|
|
|
|
// Execute hook getLoginPageOptions (for table)
|
|
$parameters=array('entity' => GETPOST('entity', 'int'));
|
|
$reshook = $hookmanager->executeHooks('getLoginPageOptions', $parameters); // Note that $action and $object may have been modified by some hooks.
|
|
if (is_array($hookmanager->resArray) && ! empty($hookmanager->resArray)) {
|
|
$morelogincontent = $hookmanager->resArray; // (deprecated) For compatibility
|
|
} else {
|
|
$morelogincontent = $hookmanager->resPrint;
|
|
}
|
|
|
|
// Execute hook getLoginPageExtraOptions (eg for js)
|
|
$parameters=array('entity' => GETPOST('entity', 'int'));
|
|
$reshook = $hookmanager->executeHooks('getLoginPageExtraOptions', $parameters); // Note that $action and $object may have been modified by some hooks.
|
|
$moreloginextracontent = $hookmanager->resPrint;
|
|
|
|
// Login
|
|
$login = (! empty($hookmanager->resArray['username']) ? $hookmanager->resArray['username'] : (GETPOST("username", "alpha") ? GETPOST("username", "alpha") : $demologin));
|
|
$password = $demopassword;
|
|
|
|
// Show logo (search in order: small company logo, large company logo, theme logo, common logo)
|
|
$width=0;
|
|
$urllogo=DOL_URL_ROOT.'/theme/login_logo.png';
|
|
|
|
if (! empty($mysoc->logo_small) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$mysoc->logo_small))
|
|
{
|
|
$urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=mycompany&file='.urlencode('logos/thumbs/'.$mysoc->logo_small);
|
|
}
|
|
elseif (! empty($mysoc->logo) && is_readable($conf->mycompany->dir_output.'/logos/'.$mysoc->logo))
|
|
{
|
|
$urllogo=DOL_URL_ROOT.'/viewimage.php?cache=1&modulepart=mycompany&file='.urlencode('logos/'.$mysoc->logo);
|
|
$width=128;
|
|
}
|
|
elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png'))
|
|
{
|
|
$urllogo=DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.png';
|
|
}
|
|
elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/dolibarr_logo.png'))
|
|
{
|
|
$urllogo=DOL_URL_ROOT.'/theme/dolibarr_logo.png';
|
|
}
|
|
|
|
// Security graphical code
|
|
$captcha=0;
|
|
$captcha_refresh='';
|
|
if (function_exists("imagecreatefrompng") && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
|
|
{
|
|
$captcha=1;
|
|
$captcha_refresh=img_picto($langs->trans("Refresh"), 'refresh', 'id="captcha_refresh_img"');
|
|
}
|
|
|
|
// Extra link
|
|
$forgetpasslink=0;
|
|
$helpcenterlink=0;
|
|
if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK) || empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
|
|
{
|
|
if (empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK))
|
|
{
|
|
$forgetpasslink=1;
|
|
}
|
|
|
|
if (empty($conf->global->MAIN_HELPCENTER_DISABLELINK))
|
|
{
|
|
$helpcenterlink=1;
|
|
}
|
|
}
|
|
|
|
// Home message
|
|
$main_home='';
|
|
if (! empty($conf->global->MAIN_HOME))
|
|
{
|
|
$substitutionarray=getCommonSubstitutionArray($langs);
|
|
complete_substitutions_array($substitutionarray, $langs);
|
|
$texttoshow = make_substitutions($conf->global->MAIN_HOME, $substitutionarray, $langs);
|
|
|
|
$main_home=dol_htmlcleanlastbr($texttoshow);
|
|
}
|
|
|
|
// Google AD
|
|
$main_google_ad_client = ((! empty($conf->global->MAIN_GOOGLE_AD_CLIENT) && ! empty($conf->global->MAIN_GOOGLE_AD_SLOT))?1:0);
|
|
|
|
// Set jquery theme
|
|
$dol_loginmesg = (! empty($_SESSION["dol_loginmesg"])?$_SESSION["dol_loginmesg"]:'');
|
|
$favicon=dol_buildpath('/theme/'.$conf->theme.'/img/favicon.ico', 1);
|
|
if (! empty($conf->global->MAIN_FAVICON_URL)) $favicon=$conf->global->MAIN_FAVICON_URL;
|
|
$jquerytheme = 'base';
|
|
if (! empty($conf->global->MAIN_USE_JQUERY_THEME)) $jquerytheme = $conf->global->MAIN_USE_JQUERY_THEME;
|
|
|
|
// Set dol_hide_topmenu, dol_hide_leftmenu, dol_optimize_smallscreen, dol_no_mouse_hover
|
|
$dol_hide_topmenu=GETPOST('dol_hide_topmenu', 'int');
|
|
$dol_hide_leftmenu=GETPOST('dol_hide_leftmenu', 'int');
|
|
$dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen', 'int');
|
|
$dol_no_mouse_hover=GETPOST('dol_no_mouse_hover', 'int');
|
|
$dol_use_jmobile=GETPOST('dol_use_jmobile', 'int');
|
|
|
|
// Include login page template
|
|
include $template_dir.'login.tpl.php';
|
|
|
|
|
|
$_SESSION["dol_loginmesg"] = '';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Fonction pour initialiser un salt pour la fonction crypt.
|
|
*
|
|
* @param int $type 2=>renvoi un salt pour cryptage DES
|
|
* 12=>renvoi un salt pour cryptage MD5
|
|
* non defini=>renvoi un salt pour cryptage par defaut
|
|
* @return string Salt string
|
|
*/
|
|
function makesalt($type = CRYPT_SALT_LENGTH)
|
|
{
|
|
dol_syslog("makesalt type=".$type);
|
|
switch($type)
|
|
{
|
|
case 12: // 8 + 4
|
|
$saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
|
|
case 8: // 8 (Pour compatibilite, ne devrait pas etre utilise)
|
|
$saltlen=8; $saltprefix='$1$'; $saltsuffix='$'; break;
|
|
case 2: // 2
|
|
default: // by default, fall back on Standard DES (should work everywhere)
|
|
$saltlen=2; $saltprefix=''; $saltsuffix=''; break;
|
|
}
|
|
$salt='';
|
|
while(dol_strlen($salt) < $saltlen) $salt.=chr(mt_rand(64, 126));
|
|
|
|
$result=$saltprefix.$salt.$saltsuffix;
|
|
dol_syslog("makesalt return=".$result);
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Encode or decode database password in config file
|
|
*
|
|
* @param int $level Encode level: 0 no encoding, 1 encoding
|
|
* @return int <0 if KO, >0 if OK
|
|
*/
|
|
function encodedecode_dbpassconf($level = 0)
|
|
{
|
|
dol_syslog("encodedecode_dbpassconf level=".$level, LOG_DEBUG);
|
|
$config = '';
|
|
$passwd='';
|
|
$passwd_crypted='';
|
|
|
|
if ($fp = fopen(DOL_DOCUMENT_ROOT.'/conf/conf.php', 'r'))
|
|
{
|
|
while(!feof($fp))
|
|
{
|
|
$buffer = fgets($fp, 4096);
|
|
|
|
$lineofpass=0;
|
|
|
|
if (preg_match('/^[^#]*dolibarr_main_db_encrypted_pass[\s]*=[\s]*(.*)/i', $buffer, $reg)) // Old way to save crypted value
|
|
{
|
|
$val = trim($reg[1]); // This also remove CR/LF
|
|
$val=preg_replace('/^["\']/', '', $val);
|
|
$val=preg_replace('/["\'][\s;]*$/', '', $val);
|
|
if (! empty($val))
|
|
{
|
|
$passwd_crypted = $val;
|
|
$val = dol_decode($val);
|
|
$passwd = $val;
|
|
$lineofpass=1;
|
|
}
|
|
}
|
|
elseif (preg_match('/^[^#]*dolibarr_main_db_pass[\s]*=[\s]*(.*)/i', $buffer, $reg))
|
|
{
|
|
$val = trim($reg[1]); // This also remove CR/LF
|
|
$val=preg_replace('/^["\']/', '', $val);
|
|
$val=preg_replace('/["\'][\s;]*$/', '', $val);
|
|
if (preg_match('/crypted:/i', $buffer))
|
|
{
|
|
$val = preg_replace('/crypted:/i', '', $val);
|
|
$passwd_crypted = $val;
|
|
$val = dol_decode($val);
|
|
$passwd = $val;
|
|
}
|
|
else
|
|
{
|
|
$passwd = $val;
|
|
$val = dol_encode($val);
|
|
$passwd_crypted = $val;
|
|
}
|
|
$lineofpass=1;
|
|
}
|
|
|
|
// Output line
|
|
if ($lineofpass)
|
|
{
|
|
// Add value at end of file
|
|
if ($level == 0)
|
|
{
|
|
$config .= '$dolibarr_main_db_pass=\''.$passwd.'\';'."\n";
|
|
}
|
|
if ($level == 1)
|
|
{
|
|
$config .= '$dolibarr_main_db_pass=\'crypted:'.$passwd_crypted.'\';'."\n";
|
|
}
|
|
|
|
//print 'passwd = '.$passwd.' - passwd_crypted = '.$passwd_crypted;
|
|
//exit;
|
|
}
|
|
else
|
|
{
|
|
$config .= $buffer;
|
|
}
|
|
}
|
|
fclose($fp);
|
|
|
|
// Write new conf file
|
|
$file=DOL_DOCUMENT_ROOT.'/conf/conf.php';
|
|
if ($fp = @fopen($file, 'w'))
|
|
{
|
|
fputs($fp, $config);
|
|
fflush($fp);
|
|
fclose($fp);
|
|
clearstatcache();
|
|
|
|
// It's config file, so we set read permission for creator only.
|
|
// Should set permission to web user and groups for users used by batch
|
|
//@chmod($file, octdec('0600'));
|
|
|
|
return 1;
|
|
}
|
|
else
|
|
{
|
|
dol_syslog("encodedecode_dbpassconf Failed to open conf.php file for writing", LOG_WARNING);
|
|
return -1;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dol_syslog("encodedecode_dbpassconf Failed to read conf.php", LOG_ERR);
|
|
return -2;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Return a generated password using default module
|
|
*
|
|
* @param boolean $generic true=Create generic password (32 chars/numbers), false=Use the configured password generation module
|
|
* @param array $replaceambiguouschars Discard ambigous characters. For example array('I').
|
|
* @return string New value for password
|
|
* @see dol_hash
|
|
*/
|
|
function getRandomPassword($generic = false, $replaceambiguouschars = null)
|
|
{
|
|
global $db,$conf,$langs,$user;
|
|
|
|
$generated_password='';
|
|
if ($generic)
|
|
{
|
|
$length = 32;
|
|
$lowercase = "qwertyuiopasdfghjklzxcvbnm";
|
|
$uppercase = "ASDFGHJKLZXCVBNMQWERTYUIOP";
|
|
$numbers = "1234567890";
|
|
$randomCode = "";
|
|
$nbofchar = round($length/3);
|
|
$nbofcharlast = ($length - 2*$nbofchar);
|
|
//var_dump($nbofchar.'-'.$nbofcharlast);
|
|
if (function_exists('random_int')) // Cryptographic random
|
|
{
|
|
$max = strlen($lowercase) - 1;
|
|
for ($x = 0; $x < $nbofchar; $x++) {
|
|
$randomCode .= $lowercase{random_int(0, $max)};
|
|
}
|
|
$max = strlen($uppercase) - 1;
|
|
for ($x = 0; $x < $nbofchar; $x++) {
|
|
$randomCode .= $uppercase{random_int(0, $max)};
|
|
}
|
|
$max = strlen($numbers) - 1;
|
|
for ($x = 0; $x < $nbofcharlast; $x++) {
|
|
$randomCode .= $numbers{random_int(0, $max)};
|
|
}
|
|
|
|
$generated_password=str_shuffle($randomCode);
|
|
}
|
|
else // Old platform, non cryptographic random
|
|
{
|
|
$max = strlen($lowercase) - 1;
|
|
for ($x = 0; $x < $nbofchar; $x++) {
|
|
$randomCode .= $lowercase{mt_rand(0, $max)};
|
|
}
|
|
$max = strlen($uppercase) - 1;
|
|
for ($x = 0; $x < $nbofchar; $x++) {
|
|
$randomCode .= $uppercase{mt_rand(0, $max)};
|
|
}
|
|
$max = strlen($numbers) - 1;
|
|
for ($x = 0; $x < $nbofcharlast; $x++) {
|
|
$randomCode .= $numbers{mt_rand(0, $max)};
|
|
}
|
|
|
|
$generated_password=str_shuffle($randomCode);
|
|
}
|
|
}
|
|
elseif (! empty($conf->global->USER_PASSWORD_GENERATED))
|
|
{
|
|
$nomclass="modGeneratePass".ucfirst($conf->global->USER_PASSWORD_GENERATED);
|
|
$nomfichier=$nomclass.".class.php";
|
|
//print DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomclass;
|
|
require_once DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomfichier;
|
|
$genhandler=new $nomclass($db, $conf, $langs, $user);
|
|
$generated_password=$genhandler->getNewGeneratedPassword();
|
|
unset($genhandler);
|
|
}
|
|
|
|
// Do we have to discard some alphabetic characters ?
|
|
if (is_array($replaceambiguouschars) && count($replaceambiguouschars) > 0)
|
|
{
|
|
$numbers = "ABCDEF";
|
|
$max = strlen($numbers) - 1;
|
|
if (function_exists('random_int')) // Cryptographic random
|
|
{
|
|
$generated_password=str_replace($replaceambiguouschars, $numbers{random_int(0, $max)}, $generated_password);
|
|
}
|
|
else
|
|
{
|
|
$generated_password=str_replace($replaceambiguouschars, $numbers{mt_rand(0, $max)}, $generated_password);
|
|
}
|
|
}
|
|
|
|
return $generated_password;
|
|
}
|