harmacist/tinyib
1
0
Fork 0
forked from GithubBackups/tinyib
Code Pull Requests Activity

Support setting management panel key to improve security

Browse Source 
Resolves #144.
This commit is contained in:
Trevor Slocum 2021-03-13 18:49:09 -08:00
parent 963c946eda
commit c50c797234
5 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
imgboard.php
View File

@ -585,6 +585,13 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name'])
$isadmin = false; $isadmin = false;
$returnlink = basename($_SERVER['PHP_SELF']); $returnlink = basename($_SERVER['PHP_SELF']);
if (isset($_GET["logout"])) {
$_SESSION['tinyib'] = '';
$_SESSION['tinyib_key'] = '';
session_destroy();
die('--&gt; --&gt; --&gt;<meta http-equiv="refresh" content="0;url=imgboard.php">');
}
list($loggedin, $isadmin) = manageCheckLogIn(); list($loggedin, $isadmin) = manageCheckLogIn();
if ($loggedin) { if ($loggedin) {
@ -805,11 +812,8 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name'])
} elseif (isset($_GET["rawpost"])) { } elseif (isset($_GET["rawpost"])) {
$onload = manageOnLoad("rawpost"); $onload = manageOnLoad("rawpost");
$text .= buildPostForm(0, true); $text .= buildPostForm(0, true);
} elseif (isset($_GET["logout"])) {
$_SESSION['tinyib'] = '';
session_destroy();
die('--&gt; --&gt; --&gt;<meta http-equiv="refresh" content="0;url=' . $returnlink . '?manage">');
} }
if ($text == '') { if ($text == '') {
$text = manageStatus(); $text = manageStatus();
} }

3
inc/defines.php
View File

@ -13,6 +13,9 @@ define('TINYIB_WORDBREAK_IDENTIFIER', '@!@TINYIB_WORDBREAK@!@');
if (!defined('TINYIB_LOCALE')) { if (!defined('TINYIB_LOCALE')) {
define('TINYIB_LOCALE', ''); define('TINYIB_LOCALE', '');
} }
if (!defined('TINYIB_MANAGEKEY')) {
define('TINYIB_MANAGEKEY', '');
}
if (!defined('TINYIB_INDEX')) { if (!defined('TINYIB_INDEX')) {
define('TINYIB_INDEX', 'index.html'); define('TINYIB_INDEX', 'index.html');
} }

13
inc/functions.php
View File

@ -336,6 +336,17 @@ function checkMessageSize() {
} }
function manageCheckLogIn() { function manageCheckLogIn() {
$key = (isset($_GET['manage']) && $_GET['manage'] != '') ? hashData($_GET['manage']) : '';
if ($key == '' && isset($_SESSION['tinyib_key'])) {
$key = $_SESSION['tinyib_key'];
}
if (TINYIB_MANAGEKEY != '' && $key !== hashData(TINYIB_MANAGEKEY)) {
$_SESSION['tinyib'] = '';
$_SESSION['tinyib_key'] = '';
session_destroy();
fancyDie(__('Invalid key.'));
}
$loggedin = false; $loggedin = false;
$isadmin = false; $isadmin = false;
if (isset($_POST['managepassword'])) { if (isset($_POST['managepassword'])) {
@ -343,8 +354,10 @@ function manageCheckLogIn() {
if ($_POST['managepassword'] === TINYIB_ADMINPASS) { if ($_POST['managepassword'] === TINYIB_ADMINPASS) {
$_SESSION['tinyib'] = hashData(TINYIB_ADMINPASS); $_SESSION['tinyib'] = hashData(TINYIB_ADMINPASS);
$_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY);
} elseif (TINYIB_MODPASS != '' && $_POST['managepassword'] === TINYIB_MODPASS) { } elseif (TINYIB_MODPASS != '' && $_POST['managepassword'] === TINYIB_MODPASS) {
$_SESSION['tinyib'] = hashData(TINYIB_MODPASS); $_SESSION['tinyib'] = hashData(TINYIB_MODPASS);
$_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY);
} else { } else {
fancyDie(__('Invalid password.')); fancyDie(__('Invalid password.'));
} }

8
inc/html.php
View File

@ -542,7 +542,7 @@ EOF;
function buildPage($htmlposts, $parent, $pages = 0, $thispage = 0, $lastpostid = 0) { function buildPage($htmlposts, $parent, $pages = 0, $thispage = 0, $lastpostid = 0) {
$cataloglink = TINYIB_CATALOG ? ('[<a href="catalog.html" style="text-decoration: underline;">' . __('Catalog') . '</a>]') : ''; $cataloglink = TINYIB_CATALOG ? ('[<a href="catalog.html" style="text-decoration: underline;">' . __('Catalog') . '</a>]') : '';
$managelink = basename($_SERVER['PHP_SELF']) . "?manage"; $managelink = (TINYIB_MANAGEKEY == '') ? ('[<a href="' . basename($_SERVER['PHP_SELF']) . '?manage"" style="text-decoration: underline;">' . __('Manage') . '</a>]') : '';
$postingmode = ""; $postingmode = "";
$pagenavigator = ""; $pagenavigator = "";
@ -603,7 +603,6 @@ EOF;
$js_autorefresh = '<script type="text/javascript">var autoRefreshDelay = ' . TINYIB_AUTOREFRESH . ';var autoRefreshThreadID = ' . $parent . ';var autoRefreshPostID = ' . $lastpostid . ';</script>'; $js_autorefresh = '<script type="text/javascript">var autoRefreshDelay = ' . TINYIB_AUTOREFRESH . ';var autoRefreshThreadID = ' . $parent . ';var autoRefreshPostID = ' . $lastpostid . ';</script>';
} }
$txt_manage = __('Manage');
$txt_style = __('Style'); $txt_style = __('Style');
$txt_password = __('Password'); $txt_password = __('Password');
$txt_delete = __('Delete'); $txt_delete = __('Delete');
@ -612,7 +611,7 @@ EOF;
<body> <body>
<div class="adminbar"> <div class="adminbar">
$cataloglink $cataloglink
[<a href="$managelink" style="text-decoration: underline;">$txt_manage</a>] $managelink
<select id="switchStylesheet"><option value="">$txt_style</option><option value="futaba">Futaba</option><option value="burichan">Burichan</option></select> <select id="switchStylesheet"><option value="">$txt_style</option><option value="futaba">Futaba</option><option value="burichan">Burichan</option></select>
</div> </div>
<div class="logo"> <div class="logo">
@ -848,8 +847,9 @@ function manageLogInForm() {
<input type="text" name="captcha" id="captcha" size="6" accesskey="c" autocomplete="off">&nbsp;&nbsp;' . __('(enter the text below)') . '<br> <input type="text" name="captcha" id="captcha" size="6" accesskey="c" autocomplete="off">&nbsp;&nbsp;' . __('(enter the text below)') . '<br>
<img id="captchaimage" src="inc/captcha.php" width="175" height="55" alt="CAPTCHA" onclick="javascript:reloadCAPTCHA()" style="margin-top: 5px;cursor: pointer;"><br><br>'; <img id="captchaimage" src="inc/captcha.php" width="175" height="55" alt="CAPTCHA" onclick="javascript:reloadCAPTCHA()" style="margin-top: 5px;cursor: pointer;"><br><br>';
} }
$managekey = htmlentities($_GET['manage'], ENT_QUOTES);
return <<<EOF return <<<EOF
<form id="tinyib" name="tinyib" method="post" action="?manage"> <form id="tinyib" name="tinyib" method="post" action="?manage=$managekey">
<fieldset> <fieldset>
<legend align="center">$txt_login_prompt</legend> <legend align="center">$txt_login_prompt</legend>
<div class="login"> <div class="login">

3
settings.default.php
View File

@ -18,6 +18,9 @@ click Rebuild All in the management panel.
// Internationalization // Internationalization
define('TINYIB_LOCALE', ''); // Locale (see README for instructions) define('TINYIB_LOCALE', ''); // Locale (see README for instructions)
// Management panel
define('TINYIB_MANAGEKEY', ''); // When set, the [Manage] link is hidden and the management panel may only be accessed via imgboard.php?manage=TINYIB_MANAGEKEY ['' to disable]
// Administrator/moderator credentials // Administrator/moderator credentials
define('TINYIB_ADMINPASS', ''); // Administrators have full access to the board define('TINYIB_ADMINPASS', ''); // Administrators have full access to the board
define('TINYIB_MODPASS', ''); // Moderators only have access to delete (and moderate if TINYIB_REQMOD is set) posts ['' to disable] define('TINYIB_MODPASS', ''); // Moderators only have access to delete (and moderate if TINYIB_REQMOD is set) posts ['' to disable]