FX_BOOL CPDF_StandardSecurityHandler::CheckOwnerPassword(FX_LPCBYTE password, FX_DWORD pass_size,
FX_LPBYTE key, FX_INT32 key_len)
{
CFX_ByteString user_pass = GetUserPassword(password, pass_size, key_len);
if (CheckUserPassword(user_pass, user_pass.GetLength(), FALSE, key, key_len)) {
return TRUE;
}
return CheckUserPassword(user_pass, user_pass.GetLength(), TRUE, key, key_len);
}
FX_BOOL CPDF_SecurityHandler::CheckOwnerPassword(const uint8_t* password,
uint32_t pass_size,
uint8_t* key,
int32_t key_len) {
CFX_ByteString user_pass = GetUserPassword(password, pass_size, key_len);
if (CheckUserPassword(user_pass.raw_str(), user_pass.GetLength(), FALSE, key,
key_len)) {
return TRUE;
}
return CheckUserPassword(user_pass.raw_str(), user_pass.GetLength(), TRUE,
key, key_len);
}
int CPDF_StandardSecurityHandler::CheckPassword(FX_LPCBYTE password, FX_DWORD size, FX_BOOL bOwner, FX_LPBYTE key, FX_INT32 key_len)
{
if (m_Revision >= 5) {
return AES256_CheckPassword(password, size, bOwner, key);
}
FX_BYTE keybuf[32];
if (key == NULL) {
key = keybuf;
}
if (bOwner) {
return CheckOwnerPassword(password, size, key, key_len);
}
return CheckUserPassword(password, size, FALSE, key, key_len) || CheckUserPassword(password, size, TRUE, key, key_len);
}
int CPDF_SecurityHandler::CheckPassword(const uint8_t* password,
uint32_t size,
FX_BOOL bOwner,
uint8_t* key,
int32_t key_len) {
if (m_Revision >= 5) {
return AES256_CheckPassword(password, size, bOwner, key);
}
uint8_t keybuf[32];
if (!key) {
key = keybuf;
}
if (bOwner) {
return CheckOwnerPassword(password, size, key, key_len);
}
return CheckUserPassword(password, size, FALSE, key, key_len) ||
CheckUserPassword(password, size, TRUE, key, key_len);
}
int ParseKMP(char *cmd, REQUEST_REC *r)
{
char kmp[STRLEN], proto[STRLEN], data[STRLEN], arg1[STRLEN], arg2[STRLEN], arg3[STRLEN], arg4[STRLEN];
int result;
*proto = *data = *arg1 = *arg2 = *arg3 = *arg4 = 0x00;
sscanf(cmd, "%s\t%s\t%s\t%s\t%s\t%s",
kmp, proto, arg1, arg2, arg3, arg4);
#if 0
fprintf(fp_out, "[%s]\r\n", cmd);
fprintf(fp_out, "arg1=%s, arg2=%s, arg3=%s, arg4=%s\r\n",
arg1, arg2, arg3, arg4);
fflush(fp_out);
#endif
if(!strcmp(proto, "USERNEW"))
{
sprintf(data, "ID=%s&PASSWORD=%s&PASSWORD1=%s&NICKNAME=%s&EMAIL=%s",
arg1, arg2, arg2, arg3, arg4);
result = NewUser(data, &curuser);
if(result != WEB_OK)
{
if(strstr(WEBBBS_ERROR_MESSAGE, "帳號已存在") != NULL)
fprintf(fp_out, "622 使用者帳號已存在\r\n");
else
fprintf(fp_out, "721 註冊失敗\r\n");
}
else
fprintf(fp_out, "800 OK!!\r\n");
}
else if(!strcmp(proto, "USERQUERY"))
{
if (!get_passwd(&curuser, arg1))
{
bzero(&curuser, sizeof(USEREC));
fprintf(fp_out, "621 使用者帳號不存在\r\n");
}
else
{
USER_INFO *quinf;
char user_status[1024];
if ((quinf = search_ulist(cmp_userid, curuser.userid)) && !(quinf->invisible))
{
sprintf(user_status, "線上狀態: %s, 呼喚鈴: %s.",
modestring(quinf, 1),
(quinf->pager != PAGER_QUIET) ? MSG_ON : MSG_OFF);
}
else
sprintf(user_status, "目前不在線上");
fprintf(fp_out, "800 OK!!\r\n");
fprintf(fp_out, "%s\t%s\t%d\t%d\t%d\t%d\t%d\t%s\t%s\r\n",
curuser.userid,
curuser.username,
curuser.userlevel,
curuser.ident,
curuser.numlogins,
curuser.numposts,
(int)curuser.lastlogin,
curuser.lasthost,
user_status);
}
}
else if(!strcmp(proto, "USERDATA"))
{
if(!get_passwd(&curuser, arg1))
bzero(&curuser, sizeof(USEREC));
if(CheckUserPassword(arg1, arg2)!=Correct)
fprintf(fp_out, "724 密碼錯誤\r\n");
else
{
fprintf(fp_out, "800 OK!!\r\n");
fprintf(fp_out, "%d\t%s\t%s\t%d\t%d\t%d\t%s\t%d\t%s\r\n",
curuser.uid,
curuser.userid,
curuser.username,
curuser.userlevel,
curuser.numlogins,
curuser.numposts,
curuser.lasthost,
curuser.lastctype,
curuser.email);
}
}
else if(!strcmp(proto, "USERPLAN"))
{
if (!get_passwd(&curuser, arg1))
{
bzero(&curuser, sizeof(USEREC));
fprintf(fp_out, "621 使用者帳號不存在\r\n");
}
else
{
char userfile[PATHLEN];
sethomefile(userfile, curuser.userid, UFNAME_PLANS);
if(isfile(userfile))
{
fprintf(fp_out, "800 OK!!\r\n");
ShowArticle(userfile, FALSE, FALSE);
}
else
{
fprintf(fp_out, "761 使用者無名片檔\r\n");
}
}
}
else if(!strcmp(proto, "USERLIST"))
{
int start = 0, end = 0;
if(*arg1)
start = atoi(arg1);
if(*arg2)
end = atoi(arg2);
#if 0
fprintf(fp_out, "%p %p", post_file, &post_file);
fflush(fp_out);
#else
post_file->list_start = start;
post_file->list_end = end;
ShowUserList("KMP", post_file);
#endif
}
#if 0
else if(!strcmp(proto, "USERLOGIN"))
{
result = user_login(&cutmp, &curuser, CTYPE_WEBBBS, arg1, arg2,
r->fromhost);
if (result == ULOGIN_OK)
{
memcpy(&uinfo, cutmp, sizeof(USER_INFO));
break;
}
else if (result == ULOGIN_PASSFAIL)
{
outs(_msg_formosa_27);
continue;
}
outs(_msg_formosa_44);
}
#endif
return WEB_OK;
}
/*******************************************************************
* 根據 URLParaType 執行 POST 的要求
*
* return HttpRespondType
*******************************************************************/
int
DoPostRequest(REQUEST_REC * r, BOARDHEADER * board, POST_FILE * pf)
{
int result, URLParaType;
char *form_data, *boardname;
result = WEB_ERROR;
URLParaType = r->URLParaType;
boardname = board->filename;
/* Get FORM data */
if ((form_data = GetFormBody(r->content_length, WEBBBS_ERROR_MESSAGE)) == NULL)
return WEB_ERROR;
#ifdef DEBUG
weblog_line(server->debug_log, form_data);
fflush(server->debug_log);
#endif
if (PSCorrect == nLogin && URLParaType == PostSend)
{
/* PostSend allow username&password in form body without login */
char pass[PASSLEN * 3];
GetPara2(username, "Name", form_data, IDLEN, ""); /* get userdata from form */
GetPara2(pass, "Password", form_data, PASSLEN * 3, "");
Convert(pass, password);
PSCorrect = CheckUserPassword(username, password);
}
if (URLParaType == PostSend
|| URLParaType == TreaSend
|| URLParaType == PostEdit
|| URLParaType == TreaEdit
|| URLParaType == PostForward
|| URLParaType == TreaForward
|| URLParaType == PostDelete
|| URLParaType == TreaDelete
|| URLParaType == SkinModify
|| URLParaType == AccessListModify
)
{
int perm;
/* boardname should set in advance, now in ParseURI() */
if (get_board(board, boardname) <= 0 || board->filename[0] == '\0')
return WEB_BOARD_NOT_FOUND;
if ((perm = CheckBoardPerm(board, &curuser)) != WEB_OK)
return perm;
}
if (PSCorrect == Correct
|| (PSCorrect == gLogin && (URLParaType == PostSend || URLParaType == TreaSend))
|| URLParaType == UserNew)
{
int start, end;
char path[PATHLEN];
switch (URLParaType)
{
case PostSend:
case TreaSend:
if ((result = PostArticle(form_data, board, pf)))
{
#if 1
if (URLParaType == TreaSend)
{
if (strlen(pf->POST_NAME))
sprintf(skin_file->filename, "/%streasure/%s/%s/$",
BBS_SUBDIR, boardname, pf->POST_NAME);
else
sprintf(skin_file->filename, "/%streasure/%s/$",
BBS_SUBDIR, boardname);
}
else
{
sprintf(skin_file->filename, "/%sboards/%s/",
BBS_SUBDIR, boardname);
}
#endif
if (PSCorrect == Correct)
UpdateUserRec(URLParaType, &curuser, board);
}
break;
case MailSend:
if ((result = PostArticle(form_data, board, pf)))
{
sprintf(skin_file->filename, "/%smail/", BBS_SUBDIR);
UpdateUserRec(URLParaType, &curuser, NULL);
}
break;
case PostEdit:
case TreaEdit:
if ((result = EditArticle(form_data, board, pf)))
{
sprintf(skin_file->filename, "/%s%s.html",
BBS_SUBDIR, pf->POST_NAME);
}
break;
case PostForward:
case TreaForward:
case MailForward:
if ((result = ForwardArticle(form_data, board, pf)))
{
find_list_range(&start, &end, pf->num, DEFAULT_PAGE_SIZE, pf->total_rec);
setdotfile(path, pf->POST_NAME, NULL);
sprintf(skin_file->filename, "/%s%s%d-%d",
BBS_SUBDIR, path, start, end);
}
break;
case PostDelete:
case TreaDelete:
case MailDelete:
if ((result = DeleteArticle(form_data, board, pf)))
{
if (URLParaType == PostDelete)
{
find_list_range(&start, &end, pf->num, DEFAULT_PAGE_SIZE, pf->total_rec);
sprintf(skin_file->filename, "/%sboards/%s/%d-%d",
BBS_SUBDIR, boardname, start, end);
}
else if (URLParaType == TreaDelete)
{
setdotfile(path, pf->POST_NAME, NULL);
sprintf(skin_file->filename, "/%s%s",
BBS_SUBDIR, path);
}
else
/* MailDelete */
{
sprintf(skin_file->filename, "/%smail/", BBS_SUBDIR);
}
}
break;
case UserNew:
if ((result = NewUser(form_data, &curuser)))
sprintf(skin_file->filename, "%s%s%s",
HTML_PATH, BBS_SUBDIR, HTML_UserNewOK);
break;
case UserIdent:
if ((result = DoUserIdent(form_data, &curuser)))
sprintf(skin_file->filename, "%s%s%s",
HTML_PATH, BBS_SUBDIR, HTML_UserIdentOK);
break;
case UserData:
if ((result = UpdateUserData(form_data, &curuser)))
sprintf(skin_file->filename, "/%susers/%s",
BBS_SUBDIR, HTML_UserData);
break;
case UserPlan:
if ((result = UpdateUserPlan(form_data, &curuser)))
sprintf(skin_file->filename, "/%susers/%s",
BBS_SUBDIR, HTML_UserPlan);
break;
case UserSign:
if ((result = UpdateUserSign(form_data, &curuser)))
sprintf(skin_file->filename, "/%susers/%s",
BBS_SUBDIR, HTML_UserSign);
break;
case UserFriend:
if ((result = UpdateUserFriend(form_data, &curuser)))
sprintf(skin_file->filename, "/%susers/%s",
BBS_SUBDIR, HTML_UserFriend);
break;
#ifdef WEB_ADMIN
case BoardModify: /* admin function */
if (!HAS_PERM(PERM_SYSOP)
#ifdef NSYSUBBS
|| !strstr(request_rec->fromhost, "140.17.12.")
#endif
)
{
sprintf(WEBBBS_ERROR_MESSAGE,
"%s 沒有權限修改看板設定", username);
result = WEB_ERROR;
}
else if ((result = ModifyBoard(form_data, board)))
sprintf(skin_file->filename, "/%sboards/%s/%s",
BBS_SUBDIR, boardname, HTML_BoardModify);
break;
#endif
case SkinModify: /* customize board skins */
if (strcmp(username, board->owner) && !HAS_PERM(PERM_SYSOP))
{
sprintf(WEBBBS_ERROR_MESSAGE,
"%s 沒有權限修改討論區介面", username);
result = WEB_ERROR;
}
else if (!(board->brdtype & BRD_WEBSKIN))
{
sprintf(WEBBBS_ERROR_MESSAGE,
"討論區 [%s] 尚未打開自定介面功\能", board->filename);
result = WEB_ERROR;
}
else if ((result = ModifySkin(form_data, board, pf)))
