clean user credentials from control chars

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-

clean user credentials from control chars

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

show more ...

Added @ALL handeling in auth_isMember

fix AUTH_USER_CHANGE event in profile updates

the triggered event did not allow event handlers to change the passed
data

KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace with boolean values

Allow user info to be retrieved without groups

Some parts of dokuwiki (e.g. recent changes, old revisions) can
requests lots of user info (to provide editor names) without
requiring any group inform

Allow user info to be retrieved without groups

Some parts of dokuwiki (e.g. recent changes, old revisions) can
requests lots of user info (to provide editor names) without
requiring any group information.

This change also implements caching of user info by authmysql &
authpgsql plugins to avoid repeated querying of the DB to retrieve
the same user information.

show more ...

amend $_SERVER to $INPUT->server

use isset() + ?: or error suppression where value may not be set

removed pre PHP 5.2 code wrt setcookie and session setting

- moved cookiedir determination in the if-statement

PHPDocs auth.php

AUTH_ACL_CHECK event around ACL checking

allows to modify ACL results in the AFTER event or to implement a
completely different ACL mechanism in the BEFORE event.

replace \s, \S with [ \t], [^ \t] in regexs used with acls

replace boolean conditional checks on possibly uninitialized vars with \!empty/empty/isset as appropriate

update for deprecated '/e' flag in preg_replace (php 5.5)

Fix CodeSniffer whitespace violoations

Removed extraneous whitespace to eliminate errors reported by the
Squiz.WhiteSpace.SuperfluousWhitespace sniff.

Fix CodeSniffer violations

Change indentation to ensure code confirms to CodeSniffer rules.

Fix CodeSniffer violations

Remove whitespace from end of lines to reduce the number of CodeSniffer
violations.

Fix a couple of bugs in ACL substitution mechanism

- %GROUP% & %USER% can now both be used in the same rule, e.g.

%GROUP%:%USER% 2

- rules with tokens will be skipped when the user is not logge

Fix a couple of bugs in ACL substitution mechanism

- %GROUP% & %USER% can now both be used in the same rule, e.g.

%GROUP%:%USER% 2

- rules with tokens will be skipped when the user is not logged in
previously %USER% was attempted

show more ...

Merge branch 'FS#2751' of git://github.com/splitbrain/dokuwiki into pull-request-245

* 'FS#2751' of git://github.com/splitbrain/dokuwiki:
coding corrections. correct type hint, remove unused varia

Merge branch 'FS#2751' of git://github.com/splitbrain/dokuwiki into pull-request-245

* 'FS#2751' of git://github.com/splitbrain/dokuwiki:
coding corrections. correct type hint, remove unused variable assignment
de/de-informal: localization updates (delete user function)
unit tests for self deleting of user accounts
FS#2751 - self deletion of user account

show more ...

coding corrections. correct type hint, remove unused variable assignment

Merge pull request #246 from splitbrain/profileform_improvements

HTML5isation of some forms

Change error message shown for incorrect current password on update profile form.

The current message confusingly mentions bad 'username' when username is not involved. The
new message is the same

Change error message shown for incorrect current password on update profile form.

The current message confusingly mentions bad 'username' when username is not involved. The
new message is the same as that introduced for an incorrect current password on the self
delete profile form (FS#2751)

show more ...

FS#2751 - self deletion of user account

auth_en/decrypt: Add explanation and more efficient decryption

Added an explanation that what we do is like normal CBC but that we
additionally encrypt the IV which is actually suggested by the NIST

auth_en/decrypt: Add explanation and more efficient decryption

Added an explanation that what we do is like normal CBC but that we
additionally encrypt the IV which is actually suggested by the NIST for
non-random (but unique) IVs. In the decryption process it's not
necessary to decrypt the IV, this should save some time.

show more ...

auth_random: remove exception comment as there is no exception

Add AES from phpseclib and use it for cookie encryption

This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.