valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authentication: make logins case-insensitive (force lowercase)

This commit is contained in:
Andrew Dolgov 2021-02-11 09:57:57 +03:00
parent e7e73193fe
commit 7af8744c85
8 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
classes/api.php
View File

@ -59,7 +59,7 @@ class API extends Handler {
if (SINGLE_USER_MODE) $login = "admin"; if (SINGLE_USER_MODE) $login = "admin";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {

4
classes/auth/base.php
View File

@ -27,7 +27,7 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
$sth = $this->pdo->prepare("INSERT INTO ttrss_users $sth = $this->pdo->prepare("INSERT INTO ttrss_users
(login,access_level,last_login,created,pwd_hash,salt) (login,access_level,last_login,created,pwd_hash,salt)
VALUES (?, 0, null, NOW(), ?,?)"); VALUES (LOWER(?), 0, null, NOW(), ?,?)");
$sth->execute([$login, $pwd_hash, $salt]); $sth->execute([$login, $pwd_hash, $salt]);
return $this->find_user_by_login($login); return $this->find_user_by_login($login);
@ -42,7 +42,7 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
function find_user_by_login($login) { function find_user_by_login($login) {
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
login = ?"); LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {

10
classes/handler/public.php
View File

@ -248,7 +248,7 @@ class Handler_Public extends Handler {
$login = clean($_REQUEST["login"]); $login = clean($_REQUEST["login"]);
$fresh = clean($_REQUEST["fresh"]) == "1"; $fresh = clean($_REQUEST["fresh"]) == "1";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -272,7 +272,7 @@ class Handler_Public extends Handler {
if ($login) { if ($login) {
$sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title"); WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND LOWER(login) = LOWER(?) ORDER BY title");
$sth->execute([$login]); $sth->execute([$login]);
$rv = [ [ "value" => 0, "label" => __("Default profile") ] ]; $rv = [ [ "value" => 0, "label" => __("Default profile") ] ];
@ -941,7 +941,7 @@ class Handler_Public extends Handler {
if ($login) { if ($login) {
$sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
WHERE login = ?"); WHERE LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -1026,7 +1026,7 @@ class Handler_Public extends Handler {
$_SESSION["pwdreset:testvalue2"] = rand(1, 1000); $_SESSION["pwdreset:testvalue2"] = rand(1, 1000);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users $sth = $this->pdo->prepare("SELECT id FROM ttrss_users
WHERE login = ? AND email = ?"); WHERE LOWER(login) = LOWER(?) AND email = ?");
$sth->execute([$login, $email]); $sth->execute([$login, $email]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -1066,7 +1066,7 @@ class Handler_Public extends Handler {
$sth = $this->pdo->prepare("UPDATE ttrss_users $sth = $this->pdo->prepare("UPDATE ttrss_users
SET resetpass_token = ? SET resetpass_token = ?
WHERE login = ? AND email = ?"); WHERE LOWER(login) = LOWER(?) AND email = ?");
$sth->execute([$resetpass_token_full, $login, $email]); $sth->execute([$resetpass_token_full, $login, $email]);

8
classes/pref/users.php
View File

@ -206,7 +206,7 @@ class Pref_Users extends Handler_Protected {
$pass_query_part = ""; $pass_query_part = "";
} }
$sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = ?, $sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = LOWER(?),
access_level = ?, email = ?, otp_enabled = false WHERE id = ?"); access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
$sth->execute([$login, $access_level, $email, $uid]); $sth->execute([$login, $access_level, $email, $uid]);
@ -238,18 +238,18 @@ class Pref_Users extends Handler_Protected {
if (!$login) return; // no blank usernames if (!$login) return; // no blank usernames
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
login = ?"); LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if (!$sth->fetch()) { if (!$sth->fetch()) {
$sth = $this->pdo->prepare("INSERT INTO ttrss_users $sth = $this->pdo->prepare("INSERT INTO ttrss_users
(login,pwd_hash,access_level,last_login,created, salt) (login,pwd_hash,access_level,last_login,created, salt)
VALUES (?, ?, 0, null, NOW(), ?)"); VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
$sth->execute([$login, $pwd_hash, $salt]); $sth->execute([$login, $pwd_hash, $salt]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
login = ? AND pwd_hash = ?"); LOWER(login) = LOWER(?) AND pwd_hash = ?");
$sth->execute([$login, $pwd_hash]); $sth->execute([$login, $pwd_hash]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {

16
plugins/auth_internal/init.php
View File

@ -26,7 +26,7 @@ class Auth_Internal extends Auth_Base {
if (get_schema_version() > 96) { if (get_schema_version() > 96) {
$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
login = ?"); LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -104,7 +104,7 @@ class Auth_Internal extends Auth_Base {
if (get_schema_version() > 87) { if (get_schema_version() > 87) {
$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?"); $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
$sth->execute([$login]); $sth->execute([$login]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -113,7 +113,7 @@ class Auth_Internal extends Auth_Base {
if ($salt == "") { if ($salt == "") {
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)");
$sth->execute([$login, $pwd_hash1, $pwd_hash2]); $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
@ -128,7 +128,7 @@ class Auth_Internal extends Auth_Base {
$pwd_hash = encrypt_password($password, $salt, true); $pwd_hash = encrypt_password($password, $salt, true);
$sth = $this->pdo->prepare("UPDATE ttrss_users SET $sth = $this->pdo->prepare("UPDATE ttrss_users SET
pwd_hash = ?, salt = ? WHERE login = ?"); pwd_hash = ?, salt = ? WHERE LOWER(login) = LOWER(?)");
$sth->execute([$pwd_hash, $salt, $login]); $sth->execute([$pwd_hash, $salt, $login]);
@ -143,7 +143,7 @@ class Auth_Internal extends Auth_Base {
$sth = $this->pdo->prepare("SELECT id $sth = $this->pdo->prepare("SELECT id
FROM ttrss_users WHERE FROM ttrss_users WHERE
login = ? AND pwd_hash = ?"); LOWER(login) = LOWER(?) AND pwd_hash = ?");
$sth->execute([$login, $pwd_hash]); $sth->execute([$login, $pwd_hash]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
@ -154,7 +154,7 @@ class Auth_Internal extends Auth_Base {
} else { } else {
$sth = $this->pdo->prepare("SELECT id $sth = $this->pdo->prepare("SELECT id
FROM ttrss_users WHERE FROM ttrss_users WHERE
login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)");
$sth->execute([$login, $pwd_hash1, $pwd_hash2]); $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
@ -165,7 +165,7 @@ class Auth_Internal extends Auth_Base {
} else { } else {
$sth = $this->pdo->prepare("SELECT id $sth = $this->pdo->prepare("SELECT id
FROM ttrss_users WHERE FROM ttrss_users WHERE
login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)");
$sth->execute([$login, $pwd_hash1, $pwd_hash2]); $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
@ -266,7 +266,7 @@ class Auth_Internal extends Auth_Base {
private function check_app_password($login, $password, $service) { private function check_app_password($login, $password, $service) {
$sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid $sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid
FROM ttrss_app_passwords p, ttrss_users u FROM ttrss_app_passwords p, ttrss_users u
WHERE p.owner_uid = u.id AND u.login = ? AND service = ?"); WHERE p.owner_uid = u.id AND LOWER(u.login) = LOWER(?) AND service = ?");
$sth->execute([$login, $service]); $sth->execute([$login, $service]);
while ($row = $sth->fetch()) { while ($row = $sth->fetch()) {

4
plugins/auth_remote/init.php
View File

@ -58,13 +58,13 @@ class Auth_Remote extends Auth_Base {
// LemonLDAP can send user informations via HTTP HEADER // LemonLDAP can send user informations via HTTP HEADER
if (defined('AUTH_AUTO_CREATE') && AUTH_AUTO_CREATE){ if (defined('AUTH_AUTO_CREATE') && AUTH_AUTO_CREATE){
// update user name // update user name
$fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN']; $fullname = isset($_SERVER['HTTP_USER_NAME']) ? $_SERVER['HTTP_USER_NAME'] : ($_SERVER['AUTHENTICATE_CN'] ?? "");
if ($fullname){ if ($fullname){
$sth = $this->pdo->prepare("UPDATE ttrss_users SET full_name = ? WHERE id = ?"); $sth = $this->pdo->prepare("UPDATE ttrss_users SET full_name = ? WHERE id = ?");
$sth->execute([$fullname, $user_id]); $sth->execute([$fullname, $user_id]);
} }
// update user mail // update user mail
$email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL']; $email = isset($_SERVER['HTTP_USER_MAIL']) ? $_SERVER['HTTP_USER_MAIL'] : ($_SERVER['AUTHENTICATE_MAIL'] ?? "");
if ($email){ if ($email){
$sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ? WHERE id = ?"); $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ? WHERE id = ?");
$sth->execute([$email, $user_id]); $sth->execute([$email, $user_id]);

2
register.php
View File

@ -277,7 +277,7 @@
db_query( "INSERT INTO ttrss_users db_query( "INSERT INTO ttrss_users
(login,pwd_hash,access_level,last_login, email, created, salt) (login,pwd_hash,access_level,last_login, email, created, salt)
VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW(), '$salt')"); VALUES (LOWER('$login'), '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
$result = db_query( "SELECT id FROM ttrss_users WHERE $result = db_query( "SELECT id FROM ttrss_users WHERE
login = '$login' AND pwd_hash = '$pwd_hash'"); login = '$login' AND pwd_hash = '$pwd_hash'");

2
update.php
View File

@ -502,7 +502,7 @@
Debug::log("Exporting feeds of user $user to $filename as OPML..."); Debug::log("Exporting feeds of user $user to $filename as OPML...");
$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); $sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
$sth->execute([$user]); $sth->execute([$user]);
if ($res = $sth->fetch()) { if ($res = $sth->fetch()) {