From: x2000habouzit Date: Sat, 30 Oct 2004 15:45:40 +0000 (+0000) Subject: after all ... it's already in the cookie ... so why not in the session ? X-Git-Tag: xorg/old~1131 X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=151cf3dc4302300632c9fdf64f572e0613c6b21d;p=platal.git after all ... it's already in the cookie ... so why not in the session ? Will have to think at a better security one day, since anybody can sniff the md5 of a password from the cookie.... not urgent since xml-rpc is only local ... but hey --- diff --git a/htdocs/listes/admin.php b/htdocs/listes/admin.php index 2bd6221..34ee884 100644 --- a/htdocs/listes/admin.php +++ b/htdocs/listes/admin.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: admin.php,v 1.7 2004-10-24 13:49:02 x2000habouzit Exp $ + $Id: admin.php,v 1.8 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -28,13 +28,9 @@ require("auto.prepend.inc.php"); new_skinned_page('listes/admin.tpl', AUTH_MDP, true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - $err = Array(); -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_REQUEST['add_member'])) { $arr = $client->mass_subscribe('polytechnique.org', $liste, Array($_REQUEST['add_member'])); diff --git a/htdocs/listes/check.php b/htdocs/listes/check.php index faf7f1e..3357bbc 100644 --- a/htdocs/listes/check.php +++ b/htdocs/listes/check.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: check.php,v 1.2 2004-10-06 13:16:49 x2000habouzit Exp $ + $Id: check.php,v 1.3 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -28,11 +28,7 @@ require("auto.prepend.inc.php"); new_admin_page('listes/check.tpl', true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_POST['correct'])) { $client->check_options('polytechnique.org', $liste, true); } diff --git a/htdocs/listes/index.php b/htdocs/listes/index.php index dc73847..da62e82 100644 --- a/htdocs/listes/index.php +++ b/htdocs/listes/index.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: index.php,v 1.9 2004-10-18 07:06:49 x2000habouzit Exp $ + $Id: index.php,v 1.10 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ require("auto.prepend.inc.php"); @@ -26,11 +26,7 @@ new_skinned_page('listes/index.tpl', AUTH_MDP); include('xml-rpc-client.inc.php'); include('newsletter.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_GET['del'])) { $client->unsubscribe('polytechnique.org',$_GET['del']); header('Location: index.php'); diff --git a/htdocs/listes/members.php b/htdocs/listes/members.php index 1b1da01..368f5ef 100644 --- a/htdocs/listes/members.php +++ b/htdocs/listes/members.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: members.php,v 1.6 2004-10-15 09:52:22 x2000habouzit Exp $ + $Id: members.php,v 1.7 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -28,11 +28,7 @@ require("auto.prepend.inc.php"); new_skinned_page('listes/members.tpl', AUTH_COOKIE, true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); $members = $client->get_members('polytechnique.org', $liste); $tri_promo = empty($_REQUEST['alpha']); diff --git a/htdocs/listes/moderate.php b/htdocs/listes/moderate.php index e5e99e2..81dd6e1 100644 --- a/htdocs/listes/moderate.php +++ b/htdocs/listes/moderate.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: moderate.php,v 1.14 2004-10-28 14:26:33 x2000habouzit Exp $ + $Id: moderate.php,v 1.15 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -32,10 +32,7 @@ require("auto.prepend.inc.php"); new_skinned_page('listes/moderate.tpl', AUTH_MDP, true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_REQUEST['sadd'])) { $client->handle_request('polytechnique.org', $liste,$_REQUEST['sadd'],4,''); diff --git a/htdocs/listes/options.php b/htdocs/listes/options.php index be17c63..2b97bec 100644 --- a/htdocs/listes/options.php +++ b/htdocs/listes/options.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: options.php,v 1.4 2004-10-16 11:39:38 x2000habouzit Exp $ + $Id: options.php,v 1.5 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -28,11 +28,7 @@ require("auto.prepend.inc.php"); new_skinned_page('listes/options.tpl', AUTH_MDP, true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_POST['submit'])) { $values =array_map('stripslashes',$_POST); diff --git a/htdocs/listes/soptions.php b/htdocs/listes/soptions.php index 4bdc8e8..3319850 100644 --- a/htdocs/listes/soptions.php +++ b/htdocs/listes/soptions.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: soptions.php,v 1.3 2004-10-06 13:23:20 x2000habouzit Exp $ + $Id: soptions.php,v 1.4 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -28,11 +28,7 @@ require("auto.prepend.inc.php"); new_admin_page('listes/soptions.tpl', true); include('xml-rpc-client.inc.php'); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); if(isset($_POST['submit'])) { $values = array_map('stripslashes', $_POST); diff --git a/htdocs/listes/trombi.php b/htdocs/listes/trombi.php index 64440a4..abfff4d 100644 --- a/htdocs/listes/trombi.php +++ b/htdocs/listes/trombi.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: trombi.php,v 1.8 2004-10-28 20:28:41 x2000habouzit Exp $ + $Id: trombi.php,v 1.9 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ if(empty($_REQUEST['liste'])) header('Location: index.php'); @@ -29,11 +29,7 @@ new_skinned_page('listes/trombi.tpl', AUTH_COOKIE, true); include('xml-rpc-client.inc.php'); require("trombi.inc.php"); -$res = $globals->db->query("SELECT password FROM auth_user_md5 WHERE user_id={$_SESSION['uid']}"); -list($pass) = mysql_fetch_row($res); -mysql_free_result($res); - -$client = new xmlrpc_client("http://{$_SESSION['uid']}:$pass@localhost:4949"); +$client = new xmlrpc_client("http://{$_SESSION['uid']}:{$_SESSION['password']}@localhost:4949"); function getList($offset,$limit) { global $client, $globals; diff --git a/include/xorg.session.inc.php b/include/xorg.session.inc.php index b1dca28..bf2b71f 100644 --- a/include/xorg.session.inc.php +++ b/include/xorg.session.inc.php @@ -18,7 +18,7 @@ * Foundation, Inc., * * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * *************************************************************************** - $Id: xorg.session.inc.php,v 1.33 2004-10-11 20:42:37 x2000habouzit Exp $ + $Id: xorg.session.inc.php,v 1.34 2004-10-30 15:45:40 x2000habouzit Exp $ ***************************************************************************/ require("diogenes.core.session.inc.php"); @@ -221,7 +221,7 @@ function start_connexion ($uid, $identified) { global $globals; $result=$globals->db->query(" SELECT prenom, nom, perms, promo, matricule, UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, - a.alias, UNIX_TIMESTAMP(u.lastnewslogin), a2.alias + a.alias, UNIX_TIMESTAMP(u.lastnewslogin), a2.alias, password FROM auth_user_md5 AS u INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie') INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND (a2.type='a_vie' OR a2.type='alias' OR a2.type='epouse') AND a2.alias LIKE '%.%') @@ -229,7 +229,8 @@ function start_connexion ($uid, $identified) { WHERE user_id=$uid ORDER BY s.start DESC, a2.type != 'epouse', length(a2.alias) LIMIT 1"); - list($prenom, $nom, $perms, $promo, $matricule, $lastlogin, $host, $forlife, $lastnewslogin, $bestalias) = mysql_fetch_row($result); + list($prenom, $nom, $perms, $promo, $matricule, $lastlogin, $host, + $forlife, $lastnewslogin, $bestalias, $password) = mysql_fetch_row($result); mysql_free_result($result); // on garde le logger si il existe (pour ne pas casser les sessions lors d'une @@ -265,6 +266,7 @@ function start_connexion ($uid, $identified) { $_SESSION['forlife'] = $forlife; $_SESSION['bestalias'] = $bestalias; $_SESSION['matricule'] = $matricule; + $_SESSION['password'] = $password; $res = $globals->db->query("SELECT flags FROM identification WHERE matricule = '$matricule' AND FIND_IN_SET(flags, 'femme')"); $_SESSION['femme'] = mysql_num_rows($res) > 0; mysql_free_result($res);