From dbb2ef00f36e2118802fbfce19107494e22c5ca3 Mon Sep 17 00:00:00 2001 From: Jean-Christian Denis Date: Fri, 30 Dec 2022 16:56:25 +0100 Subject: [PATCH] initial commit from httpPassword 0.5.10 --- CHANGELOG | 37 ++++ LICENSE | 339 ++++++++++++++++++++++++++++++++++++ _admin.php | 27 +++ _define.php | 21 +++ _install.php | 36 ++++ _public.php | 101 +++++++++++ icon.png | Bin 0 -> 703 bytes index.php | 475 +++++++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 1036 insertions(+) create mode 100644 CHANGELOG create mode 100644 LICENSE create mode 100644 _admin.php create mode 100644 _define.php create mode 100644 _install.php create mode 100644 _public.php create mode 100644 icon.png create mode 100644 index.php diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..822c3d3 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,37 @@ +0.5.10 : + - fix typo + - fix for PHP 5.3 compliance + +0.5.9 : + - fix bug in history page (PHP errors when history was empty) + - add page "debug" in plugin page in order to get infos about hosting setup (when plugins fails to authenticate users) + +0.5 : + - deep rewrite : HTTP auth is not directly handled by apache anymore but by a dotclear behavior + - add support of multiblog installation (thanks to Stephanie "piloue" and Gabriel for being so patient and their helpfull tests) + - add support PHP running as CGI (tested with OVH hosting services) + - auto-detect crypt functions available and let user choose it + - HTTP auth is not required in order to access to blog admin + - plugin admin page with tabs + - plugin imported to dotclear lab + + Known issues : This plugin does not protect non-php files (images, css, js) + +0.4 : never released + - check filepermission when running + - add free.fr support + +0.3 : + - add last connection tracker + +0.2 : 2008-11-22 + - _install.php added + - password crypt function setting added + - password crypt function can be choose within trim, crypt, md5, sha1 + - remonte crypt function added as rcrypt rmd5 and rsha1 : crypt function + is called over http://frederic.ple.name/.... + This feature can ensure plugin running on php restricted environment + (ex: OVH.COM) + +0.1 : 2008-11-17 +INITIAL public release diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d511905 --- /dev/null +++ b/LICENSE @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/_admin.php b/_admin.php new file mode 100644 index 0000000..bc35b3a --- /dev/null +++ b/_admin.php @@ -0,0 +1,27 @@ +addItem('httpPassword', + 'plugin.php?p=httpPassword', + 'index.php?pf=httpPassword/icon.png', + preg_match('/plugin.php\?p=httpPassword(&.*)?$/', + $_SERVER['REQUEST_URI']), + $core->auth->check('usage,contentadmin',$core->blog->id) +); + +$core->auth->setPermissionType( + 'httpPassword', + 'Gestion de la protection du site httpPassword' +); +?> diff --git a/_define.php b/_define.php new file mode 100644 index 0000000..c792639 --- /dev/null +++ b/_define.php @@ -0,0 +1,21 @@ +registerModule( + /* Name */ "httpPassword", + /* Description*/ "Manage .htpasswd file to make the blog private", + /* Author */ "Frederic PLE ", + /* Version */ '0.5.10', + /* Permissions */ 'httpPassword' +); +?> diff --git a/_install.php b/_install.php new file mode 100644 index 0000000..eb506b8 --- /dev/null +++ b/_install.php @@ -0,0 +1,36 @@ +plugins->moduleInfo('httpPassword','version'); + +$i_version = $core->getVersion('httpPassword'); + +if (version_compare($i_version,$m_version,'>=')) { + return; +} + +# Création du setting (s'il existe, il ne sera pas écrasé) +$settings = new dcSettings($core,null); +$settings->setNamespace('httppassword'); +$mydomain = preg_replace('/^.*\.([^.]+[^.])$/','$1',gethostbyaddr($_SERVER['SERVER_ADDR'])); +$defaultcrypt = ''; + +$settings->put('httppassword_active',false,'boolean','Activer',false,false); +$settings->put('httppassword_crypt',$defaultcrypt,'string','Fonction de cryptage',false,false); +$settings->put('httppassword_message','Zone Privee','String','Message personnalisable dans le popup d\'authentification',false,false); +$settings->put('httppassword_trace',false,'boolean','Activation des traces (debug)',false,false); +$settings->put('httppassword_debugmode',false,'boolean','Activation du mode Debug',false,false); + +$core->setVersion('httpPassword',$m_version); +?> diff --git a/_public.php b/_public.php new file mode 100644 index 0000000..c17ea4f --- /dev/null +++ b/_public.php @@ -0,0 +1,101 @@ +blog->settings->httppassword_active) { + $core->addBehavior('publicPrepend',array('httpPassword','Check')); + //$core->addBehavior('publicPrepend',array('httpPassword','LastLogin')); +} + +class httpPassword { + + private static function __debuglog ($core,$trace) { + static $fic = false; + if (!$core->blog->settings->httppassword_trace) + return; + if ($fic === false) + $fic = fopen($core->blog->public_path . '/.htpasswd.trc.txt','a'); + if ($fic !== false) { + fprintf($fic,"%s - %s\n",date('Ymd-His'),$trace); + } + } + + private static function __debugmode ($core) { + $fic = fopen($core->blog->public_path . '/.debugmode','a'); + fprintf($fic,"\n%s\n%s\n", str_repeat('-', 30), date('Ymd-His')); + fprintf($fic,".... \$_SERVER =\n%s\n",var_export($_SERVER,true)); + fprintf($fic,".... \$_ENV =\n%s\n",var_export($_ENV,true)); + fprintf($fic,".... Apache headers =\n%s\n",var_export(apache_request_headers(),true)); + } + + private static function __HTTP401($core) { + httpPassword::__debuglog($core,__FUNCTION__); + header('HTTP/1.1 401 Unauthorized'); + header('WWW-Authenticate: Basic realm="'. utf8_decode(htmlspecialchars_decode($core->blog->settings->httppassword_message)) .'"'); + exit(0); + } + public static function Check($core) { + httpPassword::__debuglog($core,'ENV = ' . var_export($_ENV,true)); + if ($core->blog->settings->httppassword_debugmode) + httpPassword::__debugmode($core); + if (isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW'])) { + $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER']; + $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW']; + httpPassword::__debuglog($core,__FUNCTION__ . ' user identication found in $_SERVER'); + } else if (isset($_ENV['REMOTE_USER'])) { + list($PHP_AUTH_PW,$PHP_AUTH_USER) = explode(' ',$_ENV['REMOTE_USER'],2); + list($PHP_AUTH_USER,$PHP_AUTH_PW) = explode(':',base64_decode($PHP_AUTH_USER)); + httpPassword::__debuglog($core,__FUNCTION__ . ' user identication found in $_ENV'); + } + if (!isset($PHP_AUTH_USER) or !isset($PHP_AUTH_PW) or $PHP_AUTH_USER === '') + httpPassword::__HTTP401($core); + + httpPassword::__debuglog($core,'Testing user: '.$PHP_AUTH_USER.' pass: '.$PHP_AUTH_PW); + + if (!is_file($core->blog->public_path . '/.htpasswd')) { + header('HTTP/1.0 500 Internal Server Error'); + echo "Le plugin httppassword présente une anomalie de configuration"; + exit(1); + } + + $htpasswd = file($core->blog->public_path . '/.htpasswd',FILE_IGNORE_NEW_LINES|FILE_SKIP_EMPTY_LINES); + $authenticated = false; + foreach($htpasswd as $ligne) { + list($cur_user,$cur_pass) = explode(':',trim($ligne),2); + httpPassword::__debuglog($core,'cur_user: '.$cur_user.' cur_pass: '.$cur_pass); + if ($cur_user == $PHP_AUTH_USER and crypt($PHP_AUTH_PW,$cur_pass) == $cur_pass) { + $authenticated = true; + httpPassword::__debuglog($core,' OK'); + } + if ($authenticated) break; + } + unset($htpasswd); + if (!$authenticated) httpPassword::__HTTP401($core); + else httpPassword::LastLogin($core,$PHP_AUTH_USER); + + return(true); + } + + public static function LastLogin($core,$user) { + $fic = $core->blog->public_path . '/.lastlogin'; + + $httpPasswordLastLogin = array(); + if (is_file($fic)) + $httpPasswordLastLogin = unserialize(file_get_contents($fic)); + + $httpPasswordLastLogin[$user] = date('Y-m-d H:i'); + + file_put_contents($fic,serialize($httpPasswordLastLogin)); + + return(true); + } +} +?> diff --git a/icon.png b/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..a707f690e4665092ef3ab8cdba8531f75e4f6334 GIT binary patch literal 703 zcmV;w0zmzVP)Px#24YJ`L;(K){{a7>y{D4^000SaNLh0L01FcU01FcV0GgZ_00007bV*G`2iOY{ z2qp+_+Ha=-00KWrL_t(I%Z-v>NRwd{#((cNKi9T&lA58L8dNGoR3JemMxa6wqM-!Q zjW>}L7-53Yonah(N->}zdnaU=wo zo%5;j{HHIT?6`pmAf$$Z05MmI5ZQSuip`8Af?RsZp|MwT?EPHx_4ps^7k#|6s!LR0NSxZ-c(VLjf5<42{=5)!amiCT&mGJ;#a~O6%yB1OGk3vC}MgMX% zHS+n)#Zrb?`)*oAVQ`^B)>L0I#Ek%OGSWFg`d<9DW7sm*Bi8hvBT`inYLp~%6r<4~ z{u=?nbbfpSvz;ufjx}}GiUNdVAgu&a>M$4#v26hWeEV@#YAaw?Agm$u6r}DW5YC~X zu+Zcg?3b-=ElS)QY%1m|F|sSUk(emMvREpT4-%4D1oquP3dy41&+yQ2Zc}6Pd|bd* zY3}M#nY4NWJ%e#;{gT7!%-9HT@F%3=_P8rblog->settings->httppassword_crypt) { + case "plaintext": + $saltlen = -1; + break; + case "crypt_std_des": + $saltlen = 2; + $salt = ""; + break; + case "crypt_ext_des": + $saltlen = 9; + $salt = ""; + break; + case "crypt_md5": + $saltlen = 12; + $salt = '$1$'; + break; + case "crypt_blowfish": + $saltlen = 16; + $salt = '$2$'; + break; + default: + return(false); + } + + if ($saltlen > 0) { + $salt .= substr( + sha1($core->getNonce() . date('U')), + 2, + $saltlen - strlen($salt) + ); + $secret = crypt($secret,$salt); + } + + return($secret); +} + +if (!defined('DC_CONTEXT_ADMIN')) { return; } + +$crypt_algo = array( + 'plaintext' => 'Aucun', +); +if (CRYPT_STD_DES == 1) + $crypt_algo['crypt_std_des'] = 'Crypt DES standard'; + +if (CRYPT_EXT_DES == 1) + $crypt_algo['crypt_ext_des'] = 'Crypt DES étendu'; + +if (CRYPT_MD5 == 1) + $crypt_algo['crypt_md5'] = 'Crypt MD5'; + +if (CRYPT_BLOWFISH == 1) + $crypt_algo['crypt_blowfish'] = 'Crypt Blowfish'; + +$htpasswdfile = $core->blog->public_path . '/.htpasswd' ; +$htp = file($htpasswdfile); +if (!is_array($htp)) $htp = array(); +sort($htp); + +$u = array(); +$v = array(); + +foreach($htp as $ligne) { + list($login, $pwd) = explode(':', $ligne, 2); + $u[trim($login)] = trim($pwd); +} +unset($ftp); + +$txt = !empty($_POST['txt']) ? $_POST['txt'] : null; +$action = !empty($_POST['httppasswordaction']) + ? $_POST['httppasswordaction'] + : null; + +$core->blog->settings->setNamespace('httppassword'); + +$debugmodefile = $core->blog->public_path . '/.debugmode'; + +switch($action) { + case "mod": + // traitement des donnees du formulaire + foreach(preg_split('/\n/m',$txt) as $ligne) + { + if (strpos($ligne, ':') === false) + $ligne = trim($ligne) . ':'; + list($login, $pwd) = explode(':', $ligne); + $v[trim($login)] = trim($pwd); + } + + // Rechercher les suppressions + foreach(array_keys($u) as $login) + { + if (!isset($v[$login])) + unset($u[$login]); + } + + // Rechercher les modifs + nouveaux + foreach(array_keys($v) as $login) + { + if ($v[$login] != "") { + $u[$login] = htpasswd_crypt( + $core, + $v[$login] + ); + if ($u[$login] === false) + unset($u[$login]); + } + } + + $txt = ""; + foreach(array_keys($u) as $login) + $txt .= $login.":".$u[$login]."\r\n"; + file_put_contents($htpasswdfile,$txt); + break; + + case "desactive": + case "active": + $active = !$core->blog->settings->httppassword_active; + $core->blog->settings->put( + 'httppassword_active', + $active, + 'boolean' + ); + $core->blog->settings->httppassword_active = $active; + break; + + case "cryptfunc": + $httppassword_crypt = trim($_POST['cryptage']); + if (in_array($httppassword_crypt,array_keys($crypt_algo))) { + $core->blog->settings->put( + 'httppassword_crypt', + $httppassword_crypt, + 'string' + ); + $core->blog->settings->httppassword_crypt = + $httppassword_crypt; + } + break; + + case "auth_message": + $message = htmlspecialchars($_POST['auth_message']); + $core->blog->settings->put( + 'httppassword_message', + $message, + 'string' + ); + $core->blog->settings->httppassword_message = $message; + break; + + case "debugmode": + if ($_POST['debugmode'] === "true") + $debugmode = true; + else { + $debugmode = false; + if (is_file($debugmodefile)) + unlink($debugmodefile); + } + $core->blog->settings->put( + 'httppassword_debugmode', + $debugmode, + 'boolean' + ); + $core->blog->settings->httppassword_debugmode = $debugmode; + break; +} + +$fic = $core->blog->public_path . '/.lastlogin'; +if (is_file($fic)) { + $httpPasswordLastLogin = unserialize(file_get_contents($fic)); + if ($httpPasswordLastLogin === false) $httpPasswordLastLogin = array(); +} else + $httpPasswordLastLogin = array(); + +$form_block=' style="display: none;"'; +if (strlen($core->blog->settings->httppassword_crypt) > 0) $form_block=""; +?> + + httpPassword + + + + + +

blog->name); ?> › httpPasswd

+ +
+ + +
+ > +

Activation du plugin

+ +

Pour utiliser cette extension, vous devez avoir les permissions +pour écrire dans les fichiers :

+
    +
    • +
    • +
+blog->settings->httppassword_active) { ?> +

Protection ACTIVÉE

+
+ Cliquer sur ce bouton pour désactiver la protection : + +formNonce() . + form::hidden(array('p'),'httpPassword') . + form::hidden(array('httppasswordaction'),'desactive'); +?> +
+ + + utilisateur valide !

+
+ Cliquer sur ce bouton pour activer la protection : + +formNonce(). + form::hidden(array('p'),'httpPassword'). + form::hidden(array('httppasswordaction'),'active'); +?> +
+ + + + +
+

Sécurité des mots de passe

+

Pour modifier la fonction de "cryptage".

+

Attention, le changement de + cryptage s'appliquera individuellement à la prochaine modification + de chacun des comptes (crétion ou changement de mot de passe)

+
+ $algo_libelle) { + echo 'blog->settings->httppassword_crypt == $algo_code) + echo 'checked '; + echo '/> ' . $algo_libelle . '
'; +} ?> +formNonce(). + form::hidden(array('p'),'httpPassword'). + form::hidden(array('httppasswordaction'),'cryptfunc'); +?> +
+
+ + > +

Message d'authentification

+
+

+
+ +formNonce(). + form::hidden(array('p'),'httpPassword'). + form::hidden(array('httppasswordaction'),'auth_message'); +?>

+
+ +		 + > +
+


+ +formNonce(). + form::hidden(array('p'),'httpPassword'). + form::hidden(array('httppasswordaction'),'mod'); +?>

+
+ +
+
+ +
+

Nous sommes le

+ +0) { + $i = 0; + $logins = array_keys($httpPasswordLastLogin); + sort($logins); + foreach($logins as $login) + echo '' . "\n"; +} +?> +
' . $login . '' . + $httpPasswordLastLogin[$login] . + '
+
+ +
+

Gestion des accès restreints

+

Ce plugin permet la gestion d'identifiants et de mots de + passe pour limiter les accès à votre blog aux + personnes que vous aurez choisies.

+

Le formulaire de droite présente la liste des + utilisateurs existants (sans leur mot de passe)

+

Ajout d'un utilisateur

+

Pour ajouter un utilisateur, ajouter une nouvelle ligne + de la forme :

+

login:motdepasse

+

Modifier un mot de passe

+

Pour modifier un mot de passe d'un utilisateur, ajouter + à la suite de son identifiant (sur la même ligne) + le texte suivant :

+

:motdepasse

+

Suppression d'un utilisateur

+

Pour supprimer un utilisateur, supprimer la ligne de + l'utilisateur.

+
+ +
+

Le plugin a été développé pour + fonctionner sur une installation "standard" de serveur Web + (PHP en module Apache).

+

Certains hébergeurs utilisent des installations de + PHP en mode CGI, parfois assez spécifiques et + sur lesquelles ce plugin ne fonctionnera pas

+

Le mode debug permet de collecter des informations + nécessaires au développeur pour adapter le plugin + à des contextes particuliers.

+

Quand l'activer

+
    +
  • Vous avez installé la dernière version du plugin + (voir sur http://lab.dotclear.org/plugin/httpPassword)
    • +
  • Vous avez activé le plugin
    • +
  • Vous avez créé un compte
    • +
  • Lorsque vous vous authentifiez sur le site, vous ne parvenez + pas à accéder à la partie publique avec le + compte que vous avez créé
    • +
+

MISE EN GARDE

+

le mode debug est + dangeureux. Il est imperatif de le desactiver juste apres + les tests.

+

Protocole à suivre

+

Le protocole est le suivant. Merci de le suivre pas à pas.

+
    +
  1. Creer un compte "debug" dont le mot de passe est "test"
    2. +
  2. Activer le plugin
    3. +
  3. Activer le mode debug
    4. +
  4. Faire un essai d'authentification
    5. +
  5. Revenir sur cette page et copier le texte de la section "Resultats" + dans un mail
    6. +
  6. Joindre a ce mail le fichier .debugmode que vous trouverez + dans le répertoire public du blog
    7. +
  7. Envoyer le mail à dotclear@frederic.ple.name
    8. +
  8. Desactiver le mode debug
    9. +
  9. Supprimer le de compte "debug"
    10. +
  10. Attendre patiemment la réponse du gentil + développeur
    11. +
+

Activer / Dédactiver le mode DEBUG

+
+

blog->settings->httppassword_debugmode === false) echo 'checked="checked" '; ?>/>Mode normal

+

blog->settings->httppassword_debugmode === true) echo 'checked="checked" '; ?>/>Mode Debug

+

+formNonce(). + form::hidden(array('p'),'httpPassword'). + form::hidden(array('httppasswordaction'),'debugmode'); +?>

+
+ +

Résultats

+
+\n"; +echo "URL: " . $core->blog->url . "
\n"; +echo "IP: " . $_SERVER['SERVER_ADDR'] . "
\n"; +echo "DocumentRoot: " . $_SERVER['DOCUMENT_ROOT'] . "
\n"; +echo "DC2 version: " . $core->getVersion('core') . "
\n"; +echo "DC2 path: " ."-" . "
\n"; +echo "Plugins path: " . realpath(dirname(__FILE__) . '/..') . "
\n"; +echo "Public path: " . $core->blog->public_path . "
\n"; +echo "* INFOS HTTPPASSWD *
\n"; +echo "Version: " . $core->getVersion('httpPassword') . "
\n"; +//echo ".... \$_SERVER ....
" . str_replace("\n","
\n",var_export($_SERVER,true)) . "
\n"; +//echo ".... \$_ENV ....
" . str_replace("\n","
\n",var_export($_ENV,true)) . "
\n"; +//echo ".... HTTP Apache HEADERS ....
" . str_replace("\n","
\n",var_export(apache_request_headers(),true)) . "
\n"; +//echo str_replace("\n","
\n",htmlentities(file_get_contents($debugmodefile))); +?> +
+ +
+ +
+

Plugin

+ + +

Développeur

+
    +
  • Frédéric PLÉ <dotclear@frederic.ple.name>
    • +
+

Remerciements

+
    +
  • Aux développeurs de Dotclear pour la grande qualité du code
    • +
  • A Tomtom33, Moe, et les autres qui m'ont aidé sur le +forum
    • +
  • A Pep de Dotaddict
    • +
  • Stephanie "piloue" pour ses tests, ses suggestions et sa patience
    • +
  • Gabriel Recope pour ses tests et reports de bugs.
    • +
+ +
Plugin réalisé v.getVersion('httpPassword'); ?> par Frédéric PLÉ + <dotclear@frederic.ple.name>
+
+ + +