s3browser/auth.php at main · janforman/s3browser · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
require('config.php');

// S3 generate secure link
if (!function_exists('el_crypto_hmacSHA1')) {
        function el_crypto_hmacSHA1($key, $data, $blocksize = 64)
        {
                if (strlen($key) > $blocksize) $key = pack('H*', sha1($key));
                $key = str_pad($key, $blocksize, chr(0x00));
                $ipad = str_repeat(chr(0x36), $blocksize);
                $opad = str_repeat(chr(0x5c), $blocksize);
                $hmac = pack('H*', sha1(
                        ($key ^ $opad) . pack('H*', sha1(
                                ($key ^ $ipad) . $data
                        ))
                ));
                return base64_encode($hmac);
        }
}

if (!function_exists('el_s3_getTemporaryLink')) {
        function el_s3_getTemporaryLink($accessKey, $secretKey, $bucket, $path, $expires = TIMEOUT_MINUTES)
        {
                $expires = time() + intval(floatval($expires) * 60);
                $path = str_replace('%2F', '/', rawurlencode($path = ltrim($path, '/')));
                $signpath = '/' . $bucket . '/' . $path;
                $signsz = implode("\n", $pieces = array('GET', null, null, $expires, $signpath));
                $signature = el_crypto_hmacSHA1($secretKey, $signsz);
                if (S3USEPATH) $url = sprintf(S3PROTOCOL.S3ENDPOINT.'/%s/%s', $bucket, $path); else $url = sprintf(S3PROTOCOL.'%s.'.S3ENDPOINT.'/%s', $bucket, $path);
                $qs = http_build_query($pieces = array(
                        'AWSAccessKeyId' => $accessKey,
                        'Expires' => $expires,
                        'Signature' => $signature,
                ));
                return $url . '?' . $qs;
        }
}
// S3 generate secure link

if (USE_AUTH == false) return;

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Please enter password to access this page</title>
  <meta http-equiv="cache-control" content="no-cache">
  <meta http-equiv="pragma" content="no-cache">
  <link rel="stylesheet" href="assets/css/styles.css" />
</head>
<body>
  <style>
    input { border: 3px solid #373743;margin:8px; padding: 4px;border-radius: 6px }
  </style>
  <div class='password'>
  <form method="post">
    <h3>Please enter password to access this page</h3>
    <font color="black"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" />
  </form>
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
  ) {
    showLoginPasswordProtect("Incorrect password.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", sha1($login.'%'.$pass), $timeout, '/');

    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}
else {
  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == sha1($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", sha1($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }
}