authpassword.patch

   1 --- ./main.php  2014-11-16 14:53:38.235094774 +0200
   2 +++ ./main.php  2014-11-16 14:52:37.000000000 +0200
   3 @@ -15,6 +15,20 @@
   4
   5  <?php
   6
   7 +function setup_session(&$cleartext_pw) {
   8 +       $_SESSION['logged_in'] = 1;
   9 +       $_SESSION['key'] = md5("%dJ9&".strtolower($cleartext_pw)."(/&k.=".strtoupper($cleartext_pw)."1x&%");
  10 +       // delete cleartext pw in memory
  11 +       $cleartext_pw = "";
  12 +       unset($cleartext_pw);
  13 +}
  14 +
  15 +// use master password if HTTP Basic Auth is set
  16 +$authenticated = !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW']);
  17 +if ($authenticated && isset($master_password)) {
  18 +       setup_session($master_password);
  19 +}
  20 +
  21         // session active?
  22         if (!isset($_SESSION['logged_in']))
  23         {
  24 @@ -38,8 +52,9 @@
  25                                 if ($crypt_pw == $db_pw)
  26                                 {
  27                                         // password match - proceed
  28 -                                       $_SESSION['logged_in'] = 1;
  29 -                                       $_SESSION['key'] = md5("%dJ9&".strtolower($cleartext_pw)."(/&k.=".strtoupper($cleartext_pw)."1x&%");
  30 +
  31 +                                       setup_session($cleartext_pw);
  32 +
  33                                         // delete cleartext pw in memory
  34                                         unset($cleartext_pw);
  35                                         $_SESSION['version']=$entries->version;
  36 --- w3pw-1.40/include/config.php        2014-11-16 14:55:26.126783112 +0200
  37 +++ w3pw-1.40/include/config.php        2014-11-16 14:40:39.000000000 +0200
  38 @@ -22,6 +22,9 @@
  39  // generated when adding a new entry
  40  $random_pw_length = 12;
  41
  42 +// master password -- used when $_SERVER PHP_AUTH_USER and PHP_AUTH_PW are set
  43 +#$master_password = "secret";
  44 +
  45  // don't report Database-Errors on Frontend
  46  //error_reporting(E_ERROR);
  47  ?>
  48 --- w3pw-1.40/index.php 2014-11-17 20:42:31.565202759 +0200
  49 +++ w3pw-1.40/index.php 2014-11-17 20:45:06.000000000 +0200
  50 @@ -1,4 +1,10 @@
  51 -<html>
  52 +<?php
  53 +session_start();
  54 +if (!empty($_SESSION['logged_in'])) {
  55 +       header("Location: main.php");
  56 +       exit;
  57 +}
  58 +?><html>
  59  <head>
  60  <title>w3pw Login</title>
  61  <?php