tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

BUGFIX: removed Security::get_default_username() and Security::get_default_password()

Browse Source 
had rather severe security implications due to the way PHP handles static methods as instance methods,
combined with silverstripe's url->method-mapping
(EPIC FALE! on my behalf...)
added Security::checkDefaultAdmin()

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@42204 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2007-09-17 21:51:42 +00:00
parent 852d09d5f3
commit e7993a1bb0
2 changed files with 16 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
security/MemberAuthenticator.php
View File

@ -29,13 +29,7 @@ class MemberAuthenticator extends Authenticator {
$SQL_user = Convert::raw2sql($RAW_data['Email']); $SQL_user = Convert::raw2sql($RAW_data['Email']);
// Default login (see {@setDetaultAdmin()}) // Default login (see {@setDetaultAdmin()})
$defaultUsername = Security::get_default_username(); if(Security::checkDefaultAdmin($RAW_data['Email'], $RAW_data['Password'])) {
$defaultPassword = Security::get_default_password();
if($RAW_data['Email'] == $defaultUsername
&& $RAW_data['Password'] == $defaultPassword
&& !empty($defaultUsername)
&& !empty($defaultPassword)
) {
$member = Security::findAnAdministrator(); $member = Security::findAnAdministrator();
} else { } else {
$member = DataObject::get_one("Member", "Email = '$SQL_user' AND Password IS NOT NULL"); $member = DataObject::get_one("Member", "Email = '$SQL_user' AND Password IS NOT NULL");

34
security/Security.php
View File

@ -338,25 +338,6 @@ class Security extends Controller {
return self::Link('changepassword') . "?h=$autoLoginHash"; return self::Link('changepassword') . "?h=$autoLoginHash";
} }
/**
* Returns a username set by setDefaultAdmin()
*
* @return String
*/
public static function get_default_username() {
return self::$default_username;
}
/**
* Returns a password set by setDefaultAdmin()
*
* @return String
*/
public static function get_default_password() {
return self::$default_password;
}
/** /**
* Show the "change password" page * Show the "change password" page
* *
@ -495,6 +476,21 @@ class Security extends Controller {
self::$default_username = $username; self::$default_username = $username;
self::$default_password = $password; self::$default_password = $password;
} }
/**
* Checks if the passed credentials are matching the default-admin.
* Compares cleartext-password set through Security::setDefaultAdmin().
*
* @param string $username
* @param string $password
* @return bool
*/
public static function checkDefaultAdmin($username, $password) {
return (
self::$default_username == $username
&& self::$default_password == $password
);
}
/** /**