[pmwiki-users] authuser forcing Author name stopped working?

Neil Herber nospam at eton.ca
Thu Jul 7 23:20:56 CDT 2005 

At 2005-07-07  09:02 PM -0700, H. Fox is rumored to have said:
>On 7/7/05, H. Fox <haganfox at gmail.com> wrote:
> > On 7/7/05, Neil Herber <nospam at eton.ca> wrote:
> > > At 2005-07-07  09:06 PM -0500, Patrick R. Michaud is rumored to have 
> said:
> > > >So, it sounds as though what you really want is to set the author
> > > >name based on the password form and not based on authentication, so
> > > >perhaps something like:
> > > >
> > > >     $AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
> > > >     include_once("$FarmD/scripts/authuser.php");
> > > >     if (@$_POST['authid']) {
> > > >       $Author = $_POST['authid'];
> > > >       setcookie('author', $Author, 0, '/');
> > > >     }
> > >
> > > Exactly what I want to do! I shall try it now.
> >
> > I think you can keep your users from spoofing a .htpasswd user by
> > slipping in two more lines:
> >
> >   $AuthUser['htpasswd'] = '/path/to/your/.htpasswd';
> >   include_once("$FarmD/scripts/authuser.php");
> >   if (@$_POST['authid']) {
> >     $Author = $_POST['authid'];
> >     setcookie('author', $Author, 0, '/');
> >   } else if (@$_COOKIE['author']) {
> >     $Author = $_COOKIE['author'];
> >   }
> >
> > This way:
> >
> > * If they try to log in as a .htpasswd user they will need the correct 
> password.
> > * The name they use to log in cannot be changed using the Edit form's
> > Author field.
>
>Oops.  This might be better.
>
>    if ($action == 'edit') @session_start();
>    if (@$_SESSION['authid']) {
>      $Author=@$_SESSION['authid'];
>    } else if (@$_POST['authid']) {
>      $Author = $_POST['authid'];
>      setcookie('author', $Author, 0, '/');
>    } else if (@$_COOKIE['author']) {
>      $Author = $_COOKIE['author'];
>    }
>
>Hagan

I am disappointed to report that neither one prevents author spoofing. What 
I know about PHP fits on the back of a postage stamp, but my gut feel is 
that an authid test would have to be performed by authuser and can't be 
tacked on after the fact.

It needs to do something like:

if user name on form exists in .htpasswd
         if passwords match
                 user is authenticated, set author name
         else
                 user is a spoofer, refuse entry
         endif
else
         if password matches the shared password
                 user is unauthenticated, but we will accept the author name
         else
                 user is a complete bozo, refuse entry
         endif
endif


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668

More information about the pmwiki-users mailing list