diff options
| author | Felix Dörre <felix@dogcraft.de> | 2014-11-15 12:12:12 +0100 |
|---|---|---|
| committer | Felix Dörre <felix@dogcraft.de> | 2014-11-15 12:12:12 +0100 |
| commit | 3e578bf67cf3ba551aecae52b2f95d910af336ec (patch) | |
| tree | 04a7d453bba90ecc2ffcb6941796724378e6d5e6 | |
| parent | 6d0f414854b2c1aa1da9ec49889ac9bb3b69b966 (diff) | |
| download | cacert-devel-bug-1339.tar.gz cacert-devel-bug-1339.tar.xz cacert-devel-bug-1339.zip | |
bug-1339: remove all traces of OTPbug-1339
| -rw-r--r-- | includes/account.php | 10 | ||||
| -rw-r--r-- | pages/account/13.php | 12 | ||||
| -rw-r--r-- | www/index.php | 113 |
3 files changed, 1 insertions, 134 deletions
diff --git a/includes/account.php b/includes/account.php index b1ab984..88026d6 100644 --- a/includes/account.php +++ b/includes/account.php @@ -1333,16 +1333,6 @@ function buildSubjectFromSession() { mysql_query($query); } - //!!!Should be rewritten - $_SESSION['_config']['user']['otphash'] = trim(stripslashes(strip_tags($_REQUEST['otphash']))); - $_SESSION['_config']['user']['otppin'] = trim(stripslashes(strip_tags($_REQUEST['otppin']))); - if($_SESSION['_config']['user']['otphash'] != "" && $_SESSION['_config']['user']['otppin'] != "") - { - $query = "update `users` set `otphash`='".mysql_real_escape_string($_SESSION['_config']['user']['otphash'])."', - `otppin`='".mysql_real_escape_string($_SESSION['_config']['user']['otppin'])."' where `id`='".intval($_SESSION['profile']['id'])."'"; - mysql_query($query); - } - $_SESSION['_config']['user']['set'] = 0; $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")); $_SESSION['profile']['loggedin'] = 1; diff --git a/pages/account/13.php b/pages/account/13.php index 080e277..ea28c0e 100644 --- a/pages/account/13.php +++ b/pages/account/13.php @@ -127,20 +127,10 @@ <td colspan="2" class="title"><a href="account.php?id=59&oldid=13&userid=<?=intval($_SESSION['profile']['id'])?>"><?=_('Show account history')?></a></td> </tr> <tr> - <td colspan="2" class="title"><a href="account.php?id=13&showdetails=<?=intval(!$showdetails)?>"><?=_("View secret question & answers and OTP phrases")?></a></td> + <td colspan="2" class="title"><a href="account.php?id=13&showdetails=<?=intval(!$showdetails)?>"><?=_("View secret question & answers")?></a></td> </tr> <? if($showdetails){ ?> <tr> - <td class="DataTD"><?=_("OTP Hash")?><br> - (<?=_("Not displayed")?>)</td> - <td class="DataTD"><input type="text" name="otphash"></td> - </tr> - <tr> - <td class="DataTD"><?=_("OTP PIN")?><br> - (<?=_("Not displayed")?>)</td> - <td class="DataTD"><input type="text" name="otppin"></td> - </tr> - <tr> <td class="DataTD" colspan="2"><?=_("Lost Pass Phrase Questions")?></td> </tr> <tr> diff --git a/www/index.php b/www/index.php index 40a8e86..5a744fc 100644 --- a/www/index.php +++ b/www/index.php @@ -177,73 +177,6 @@ require_once('../includes/lib/l10n.php'); exit; } - function getOTP64($otp) - { - $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:"; - - for($i = 0; $i < 6; $i++) - $val[$i] = hexdec(substr($otp, $i * 2, 2)); - - $tmp1 = $val[0] >> 2; - $OTP = $lookupChar[$tmp1 & 63]; - $tmp2 = $val[0] - ($tmp1 << 2); - $tmp1 = $val[1] >> 4; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 63]; - $tmp2 = $val[1] - ($tmp1 << 4); - $tmp1 = $val[2] >> 6; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 63]; - $tmp2 = $val[2] - ($tmp1 << 6); - $OTP .= $lookupChar[$tmp2 & 63]; - $tmp1 = $val[3] >> 2; - $OTP .= $lookupChar[$tmp1 & 63]; - $tmp2 = $val[3] - ($tmp1 << 2); - $tmp1 = $val[4] >> 4; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 63]; - $tmp2 = $val[4] - ($tmp1 << 4); - $tmp1 = $val[5] >> 6; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 63]; - $tmp2 = $val[5] - ($tmp1 << 6); - $OTP .= $lookupChar[$tmp2 & 63]; - - return $OTP; - } - - function getOTP32($otp) - { - $lookupChar = "0123456789abcdefghkmnoprstuvwxyz"; - - for($i = 0; $i < 7; $i++) - $val[$i] = hexdec(substr($otp, $i * 2, 2)); - - $tmp1 = $val[0] >> 3; - $OTP = $lookupChar[$tmp1 & 31]; - $tmp2 = $val[0] - ($tmp1 << 3); - $tmp1 = $val[1] >> 6; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 31]; - $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1; - $OTP .= $lookupChar[$tmp2 & 31]; - $tmp2 = $val[1] - (($val[1] >> 1) << 1); - $tmp1 = $val[2] >> 4; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 31]; - $tmp2 = $val[2] - ($tmp1 << 4); - $tmp1 = $val[3] >> 7; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 31]; - $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2; - $OTP .= $lookupChar[$tmp2 & 31]; - $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2; - $tmp1 = $val[4] >> 5; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 31]; - $tmp2 = $val[4] - ($tmp1 << 5); - $OTP .= $lookupChar[$tmp2 & 31]; - $tmp1 = $val[5] >> 3; - $OTP .= $lookupChar[$tmp1 & 31]; - $tmp2 = $val[5] - ($tmp1 << 3); - $tmp1 = $val[6] >> 6; - $OTP .= $lookupChar[($tmp1 + $tmp2) & 31]; - - return $OTP; - } - if($oldid == 4) { $oldid = 0; @@ -256,52 +189,6 @@ require_once('../includes/lib/l10n.php'); $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0"; $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) - { - $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0"; - $otpres = mysql_query($otpquery); - if(mysql_num_rows($otpres) > 0) - { - $otp = mysql_fetch_assoc($otpres); - $otphash = $otp['otphash']; - $otppin = $otp['otppin']; - if(strlen($pword) == 6) - { - $matchperiod = 18; - $time = round(gmdate("U") / 10); - } else { - $matchperiod = 3; - $time = round(gmdate("U") / 60); - } - - $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600"; - mysql_query($query); - - $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'"; - if(mysql_num_rows(mysql_query($query)) <= 0) - { - $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'"; - mysql_query($query); - for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++) - { - if($otppin > 0) - $tmpmd5 = md5("$i$otphash$otppin"); - else - $tmpmd5 = md5("$i$otphash"); - - if(strlen($pword) == 6) - $md5 = substr(md5("$i$otphash"), 0, 6); - else if(strlen($pword) == 8) - $md5 = getOTP64(md5("$i$otphash")); - else - $md5 = getOTP32(md5("$i$otphash")); - - if($pword == $md5) - $res = mysql_query($otpquery); - } - } - } - } if(mysql_num_rows($res) > 0) { $_SESSION['profile'] = ""; |