Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1497) +++ branches/2.8.x/CHANGELOG (revision 1498) @@ -12,6 +12,8 @@ =============================== FEATURES FREEZE ================================ ----------------------------------- Fixes 2.8.2 -------------------------------- +11 Aug-2011 Build 1498 Werner v.d.Decken(DarkViper) +# fixed secureform 11 Aug-2011 Build 1497 Werner v.d.Decken(DarkViper) ! sync changelog 11 Aug-2011 Build 1496 Werner v.d.Decken(DarkViper) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1497) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1498) @@ -52,4 +52,4 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.2'); -if(!defined('REVISION')) define('REVISION', '1497'); +if(!defined('REVISION')) define('REVISION', '1498'); Index: branches/2.8.x/wb/framework/SecureForm.php =================================================================== --- branches/2.8.x/wb/framework/SecureForm.php (revision 1497) +++ branches/2.8.x/wb/framework/SecureForm.php (revision 1498) @@ -14,13 +14,8 @@ * @version $Id$ * @filesource $HeadURL$ * @lastmodified $Date$ - * @description + * @description */ -/* -------------------------------------------------------- */ -// Must include code to stop this file being accessed directly -require_once('globalExceptionHandler.php'); -if(!defined('WB_PATH')) { throw new IllegalFileException(); } -/* -------------------------------------------------------- */ class SecureForm { @@ -30,11 +25,11 @@ private $_FTAN = ''; private $_IDKEYs = array('0'=>'0'); - private $_ftan_name = 'x'; + private $_ftan_name = ''; private $_idkey_name = ''; private $_salt = ''; private $_fingerprint = ''; - + /* Construtor */ protected function __construct($mode = self::FRONTEND) { @@ -43,10 +38,10 @@ $this->_fingerprint = $this->_generate_fingerprint(); // generate names for session variables $this->_ftan_name = - substr($this->_fingerprint, -(16 + hexdec(substr($this->_fingerprint, 0, 1))), 16); + substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16); // make sure there is a alpha-letter at first position $this->_ftan_name = $this->_makeFirst2Letter($this->_ftan_name); - $this->_idkey_name = + $this->_idkey_name = substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16); // make sure there is a alpha-letter at first position $this->_idkey_name = $this->_makeFirst2Letter($this->_idkey_name); @@ -55,19 +50,14 @@ { $this->_IDKEYs = $_SESSION[$this->_idkey_name]; }else{ - $this->_IDKEYs = array('FF'=>'FF'); + $this->_IDKEYs = array('0'=>'0'); $_SESSION[$this->_idkey_name] = $this->_IDKEYs; } } - /** - * make sure, the first Char of the hexnumber is a valid letter a-f) - * @param string $string hex - string - * @return string - */ + private function _makeFirst2Letter($string) { - $replacement = dechex(10 + (hexdec(substr($string, 0, 1)) % 5)); - $string = (string)substr_replace( $string , $replacement , 0, 1); + $string[0] = dechex(10 + (hexdec($string[0]) % 5)); return $string; } @@ -140,7 +130,6 @@ */ final public function getFTAN( $mode = 'POST') { - if( $this->_FTAN == '') { $this->createFTAN(); } $ftan = $this->_calcFtan($this->_FTAN); if((is_string($mode) && strtolower($mode) == 'post') || ($mode === true)) { // by default return a complete, hidden -tag @@ -164,16 +153,15 @@ $retval = false; if(isset($_SESSION[$this->_ftan_name])) { - if( ($_SESSION[$this->_ftan_name] != '') && - (strlen((string)$_SESSION[$this->_ftan_name]) == strlen(md5('dummy')))) + if( $_SESSION[$this->_ftan_name] && (strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy')))) { $ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]); unset($_SESSION[$this->_ftan_name]); $mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST'); - if( isset(${$mode}[$ftan[0]])) + if( isset($GLOBALS[$mode][$ftan[0]])) { - $retval = (${$mode}[$ftan[0]] == $ftan[1]); - unset(${$mode}[$ftan[0]]); + $retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]); + unset($GLOBALS[$mode][$ftan[0]]); } } } @@ -265,6 +253,6 @@ */ final public function clearIDKEY() { - $this->_IDKEYs = array('FF'=>'FF0'); + $this->_IDKEYs = array('0'=>'0'); } -} +} \ No newline at end of file