From: x2000habouzit <x2000habouzit@839d8a87-29fc-0310-9880-83ba4fa771e5>
Date: Sun, 2 Jul 2006 12:35:58 +0000 (+0000)
Subject: merge password change fixes.
X-Git-Tag: xorg/0.9.11~538
X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=e613b04c5ad24b2369581f8f94a84fb435d7d4cd;p=platal.git

merge password change fixes.



git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@355 839d8a87-29fc-0310-9880-83ba4fa771e5
---

diff --git a/templates/javascript/do_challenge_response.js.tpl b/htdocs/javascript/do_challenge_response.js
similarity index 96%
rename from templates/javascript/do_challenge_response.js.tpl
rename to htdocs/javascript/do_challenge_response.js
index b54b1ce..8120894 100644
--- a/templates/javascript/do_challenge_response.js.tpl
+++ b/htdocs/javascript/do_challenge_response.js
@@ -18,9 +18,6 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-document.write('<script language="javascript" src="{rel}/javascript/secure_hash.js.php"></script>');
-
-{literal}
 function correctUserName() {
     var u = document.forms.login.username;
     // login with no space
@@ -62,4 +59,3 @@ function doChallengeResponse() {
     document.forms.loginsub.submit();
 
 }
-{/literal}
\ No newline at end of file
diff --git a/htdocs/javascript/do_challenge_response.js.php b/htdocs/javascript/do_challenge_response.js.php
deleted file mode 100644
index dacd54f..0000000
--- a/htdocs/javascript/do_challenge_response.js.php
+++ /dev/null
@@ -1,25 +0,0 @@
-<?php
-/***************************************************************************
- *  Copyright (C) 2003-2006 Polytechnique.org                              *
- *  http://opensource.polytechnique.org/                                   *
- *                                                                         *
- *  This program is free software; you can redistribute it and/or modify   *
- *  it under the terms of the GNU General Public License as published by   *
- *  the Free Software Foundation; either version 2 of the License, or      *
- *  (at your option) any later version.                                    *
- *                                                                         *
- *  This program is distributed in the hope that it will be useful,        *
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
- *  GNU General Public License for more details.                           *
- *                                                                         *
- *  You should have received a copy of the GNU General Public License      *
- *  along with this program; if not, write to the Free Software            *
- *  Foundation, Inc.,                                                      *
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
- ***************************************************************************/
-require_once("xorg.inc.php");
-new_nonhtml_page('javascript/do_challenge_response.js.tpl', AUTH_PUBLIC);
-header("Content-type: text/javascript");
-$page->run();
-?>
diff --git a/templates/javascript/do_challenge_response_logged.js.tpl b/htdocs/javascript/do_challenge_response_logged.js
similarity index 95%
rename from templates/javascript/do_challenge_response_logged.js.tpl
rename to htdocs/javascript/do_challenge_response_logged.js
index 226d9ea..80277f0 100644
--- a/templates/javascript/do_challenge_response_logged.js.tpl
+++ b/htdocs/javascript/do_challenge_response_logged.js
@@ -18,9 +18,6 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-document.write('<script language="javascript" src="{rel}/javascript/secure_hash.js.php"></script>');
-
-{literal}
 function readCookie(name)
 {
     var nameEQ = name + "=";
@@ -49,4 +46,3 @@ function doChallengeResponse() {
     document.forms.login.password.value = "";
     document.forms.loginsub.submit();
 }
-{/literal}
\ No newline at end of file
diff --git a/htdocs/javascript/do_challenge_response_logged.js.php b/htdocs/javascript/do_challenge_response_logged.js.php
deleted file mode 100644
index 122bd95..0000000
--- a/htdocs/javascript/do_challenge_response_logged.js.php
+++ /dev/null
@@ -1,25 +0,0 @@
-<?php
-/***************************************************************************
- *  Copyright (C) 2003-2006 Polytechnique.org                              *
- *  http://opensource.polytechnique.org/                                   *
- *                                                                         *
- *  This program is free software; you can redistribute it and/or modify   *
- *  it under the terms of the GNU General Public License as published by   *
- *  the Free Software Foundation; either version 2 of the License, or      *
- *  (at your option) any later version.                                    *
- *                                                                         *
- *  This program is distributed in the hope that it will be useful,        *
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
- *  GNU General Public License for more details.                           *
- *                                                                         *
- *  You should have received a copy of the GNU General Public License      *
- *  along with this program; if not, write to the Free Software            *
- *  Foundation, Inc.,                                                      *
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
- ***************************************************************************/
-require_once("xorg.inc.php");
-new_nonhtml_page('javascript/do_challenge_response_logged.js.tpl', AUTH_PUBLIC);
-header("Content-type: text/javascript");
-$page->run();
-?>
diff --git a/templates/javascript/motdepasse.js.tpl b/htdocs/javascript/motdepasse.js
similarity index 83%
rename from templates/javascript/motdepasse.js.tpl
rename to htdocs/javascript/motdepasse.js
index a08e6c3..60c5e49 100644
--- a/templates/javascript/motdepasse.js.tpl
+++ b/htdocs/javascript/motdepasse.js
@@ -18,9 +18,6 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-document.write('<script language="javascript" src="{rel}/javascript/secure_hash.js.php"></script>');
-
-{literal}
 function EnCryptedResponse() {
     pw1 = document.forms.changepass.nouveau.value;
     pw2 = document.forms.changepass.nouveau2.value;
@@ -34,18 +31,11 @@ function EnCryptedResponse() {
             return false;
         exit;
     }
-    
-    old_pass = hash_encrypt(document.forms.changepass.ancien.value);
-    
-    str = old_pass + ":" +
-        document.forms.changepass.challenge.value;
-    document.forms.changepass2.response.value = hash_encrypt(str);
 
-    str = hash_xor(hash_encrypt(document.forms.changepass.nouveau.value), old_pass);
+    str = hash_encrypt(document.forms.changepass.nouveau.value);
     document.forms.changepass2.response2.value = str;
-    
+
     alert ("Le mot de passe que tu as rentré va être chiffré avant de nous parvenir par Internet ! Ainsi il ne circulera pas en clair.");
     document.forms.changepass2.submit();
     return true;
 }
-{/literal}
diff --git a/htdocs/javascript/motdepasse.js.php b/htdocs/javascript/motdepasse.js.php
deleted file mode 100644
index 6a28c41..0000000
--- a/htdocs/javascript/motdepasse.js.php
+++ /dev/null
@@ -1,25 +0,0 @@
-<?php
-/***************************************************************************
- *  Copyright (C) 2003-2006 Polytechnique.org                              *
- *  http://opensource.polytechnique.org/                                   *
- *                                                                         *
- *  This program is free software; you can redistribute it and/or modify   *
- *  it under the terms of the GNU General Public License as published by   *
- *  the Free Software Foundation; either version 2 of the License, or      *
- *  (at your option) any later version.                                    *
- *                                                                         *
- *  This program is distributed in the hope that it will be useful,        *
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
- *  GNU General Public License for more details.                           *
- *                                                                         *
- *  You should have received a copy of the GNU General Public License      *
- *  along with this program; if not, write to the Free Software            *
- *  Foundation, Inc.,                                                      *
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
- ***************************************************************************/
-require_once("xorg.inc.php");
-new_nonhtml_page('javascript/motdepasse.js.tpl', AUTH_PUBLIC);
-header("Content-type: text/javascript");
-$page->run();
-?>
diff --git a/templates/javascript/secure_hash.js.tpl b/htdocs/javascript/secure_hash.js
similarity index 88%
rename from templates/javascript/secure_hash.js.tpl
rename to htdocs/javascript/secure_hash.js
index 2ffbc55..19a913e 100644
--- a/templates/javascript/secure_hash.js.tpl
+++ b/htdocs/javascript/secure_hash.js
@@ -18,10 +18,6 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-document.write('<script language="javascript" src="{rel}/javascript/md5.js"></script>');
-document.write('<script language="javascript" src="{rel}/javascript/sha1.js"></script>');
-
-{literal}
 function hash_encrypt(a) {
     return hex_sha1(a);
 }
@@ -52,4 +48,3 @@ function hash_xor(a, b) {
         c += a.charAt(k);
     return c;
 }
-{/literal}
diff --git a/htdocs/javascript/secure_hash.js.php b/htdocs/javascript/secure_hash.js.php
deleted file mode 100644
index 8c46ce0..0000000
--- a/htdocs/javascript/secure_hash.js.php
+++ /dev/null
@@ -1,25 +0,0 @@
-<?php
-/***************************************************************************
- *  Copyright (C) 2003-2006 Polytechnique.org                              *
- *  http://opensource.polytechnique.org/                                   *
- *                                                                         *
- *  This program is free software; you can redistribute it and/or modify   *
- *  it under the terms of the GNU General Public License as published by   *
- *  the Free Software Foundation; either version 2 of the License, or      *
- *  (at your option) any later version.                                    *
- *                                                                         *
- *  This program is distributed in the hope that it will be useful,        *
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
- *  GNU General Public License for more details.                           *
- *                                                                         *
- *  You should have received a copy of the GNU General Public License      *
- *  along with this program; if not, write to the Free Software            *
- *  Foundation, Inc.,                                                      *
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
- ***************************************************************************/
-require_once("xorg.inc.php");
-new_nonhtml_page('javascript/secure_hash.js.tpl', AUTH_PUBLIC);
-header("Content-type: text/javascript");
-$page->run();
-?>
diff --git a/htdocs/motdepasse.php b/htdocs/motdepasse.php
index 48a2cdf..a590dd1 100644
--- a/htdocs/motdepasse.php
+++ b/htdocs/motdepasse.php
@@ -23,14 +23,7 @@ require_once('xorg.inc.php');
 
 if (Post::has('response2'))  {
     require_once('secure_hash.inc.php');
-    if (hash_encrypt($_SESSION['password'].":".$_SESSION['session']->challenge) != Post::get('response')) {
-        new_skinned_page('motdepasse.tpl', AUTH_MDP);
-        $page->addJsLink('javascript/motdepasse.js.php');
-        $page->assign('xorg_title','Polytechnique.org - Mon mot de passe');
-        $page->trig('Ancien mot de passe erronné');
-        $page->run();
-    }
-    $password = hash_xor(Post::get('response2'), $_SESSION['password']);
+    $password = Post::get('response2');
     $_SESSION['password'] = $password;
     
     $globals->xdb->execute('UPDATE auth_user_md5 SET password={?} WHERE user_id={?}', $password, Session::getInt('uid'));
@@ -47,7 +40,7 @@ if (Post::has('response2'))  {
 }
 
 new_skinned_page('motdepasse.tpl', AUTH_MDP);
-$page->addJsLink('javascript/motdepasse.js.php');
+$page->addJsLink('javascript/motdepasse.js');
 $page->assign('xorg_title','Polytechnique.org - Mon mot de passe');
 $page->run();
 ?>
diff --git a/htdocs/tmpPWD.php b/htdocs/tmpPWD.php
index 7841a1e..aa1b62b 100644
--- a/htdocs/tmpPWD.php
+++ b/htdocs/tmpPWD.php
@@ -38,7 +38,7 @@ if ($ligne = $res->fetchOneAssoc())  {
         $page->run();
     } else {
         new_skinned_page('motdepasse.tpl', AUTH_PUBLIC);
-        $page->addJsLink('javascript/motdepasse.js.php');
+        $page->addJsLink('javascript/motdepasse.js');
         $page->run();
     }
 } else {
diff --git a/include/xnet/session.inc.php b/include/xnet/session.inc.php
index c234e3f..ad2c4bf 100644
--- a/include/xnet/session.inc.php
+++ b/include/xnet/session.inc.php
@@ -136,7 +136,7 @@ class XnetSession extends DiogenesCoreSession
 
     function doLogin(&$page) {
         // login for non-x has been disabled, so don't need this js anymore
-        //$page->addJsLink('javascript/do_challenge_response.js.php');
+        //$page->addJsLink('javascript/do_challenge_response.js');
         $page->assign("xorg_tpl", "xnet/login.tpl");
         $page->run();
     }
diff --git a/include/xorg/session.inc.php b/include/xorg/session.inc.php
index 2ad7784..e435712 100644
--- a/include/xorg/session.inc.php
+++ b/include/xorg/session.inc.php
@@ -185,12 +185,12 @@ class XorgSession extends DiogenesCoreSession
     {
         if (logged() and !$new_name) {
             $page->changeTpl('password_prompt_logged.tpl');
-            $page->addJsLink('javascript/do_challenge_response_logged.js.php');
+            $page->addJsLink('javascript/do_challenge_response_logged.js');
             $page->assign("xorg_tpl", "password_prompt_logged.tpl");
             $page->run();
         } else {
             $page->changeTpl('password_prompt.tpl');
-            $page->addJsLink('javascript/do_challenge_response.js.php');
+            $page->addJsLink('javascript/do_challenge_response.js');
             $page->assign("xorg_tpl", "password_prompt.tpl");
             
             global $globals;
diff --git a/templates/motdepasse.tpl b/templates/motdepasse.tpl
index f189d31..22a272d 100644
--- a/templates/motdepasse.tpl
+++ b/templates/motdepasse.tpl
@@ -44,15 +44,6 @@
     </tr>
     <tr>
       <td class="titre">
-        Ancien mot de passe :
-      </td>
-      <td>
-        <input type="hidden" name="challenge" value="{$smarty.session.session->challenge}" />
-        <input type="password" size="10" maxlength="10" name="ancien" />
-      </td>
-    </tr>
-    <tr>
-      <td class="titre">
         Nouveau mot de passe :
       </td>
       <td>
@@ -76,7 +67,6 @@
 </form>
 <form action="{$smarty.server.REQUEST_URI}" method="post" id="changepass2">
 <p>
-<input type="hidden" name="response"  value="" />
 <input type="hidden" name="response2"  value="" />
 </p>
 </form>
diff --git a/templates/skin/common.header.tpl b/templates/skin/common.header.tpl
index 6c81f96..41b1f06 100644
--- a/templates/skin/common.header.tpl
+++ b/templates/skin/common.header.tpl
@@ -44,6 +44,9 @@
     <script type="text/javascript" src="{rel}/{$js}"></script>
     {/foreach}
     <script type="text/javascript" src="{rel}/javascript/overlib.js"></script>
+    <script type="text/javascript" src="{rel}/javascript/md5.js"></script>
+    <script type="text/javascript" src="{rel}/javascript/sha1.js"></script>
+    <script type="text/javascript" src="{rel}/javascript/secure_hash.js"></script>
     
     {if $xorg_rss}
     <link rel="alternate" type="application/rss+xml" title="{$xorg_rss.title}" href="{rel}{$xorg_rss.href}" />