-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Simple Text-File Login script (SiTeFiLo). Copyright ©2004,2005,2006,2017 by Mario A. Valdez-Ramirez (mario@mariovaldez.org). (Read the license.txt file for details). This is version 1.0.7. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Summary of this release (1.0.7): * Changed files encoding to UTF-8. * Simplified variable filtering and handling. * Updated compatibility with PHP 7. * Removed slogin_path variable support (as it may trigger a security vulnerability if the system is misconfigured). * Some bug fixes. NOTE: the support for the optional variable slogin_path has been removed as it may cause a security vulnerability if you don't set the variable in your pages AND the server has the PHP option register_globals enabled AND the PHP option allow_url_include is enabled. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.7, 2017/03/04: Changed all check for GET and POST variables to avoid triggering notices messages. Simplified variable handling and filtering. Removed all calls to old ereg functions. Removed uneeded closing PHP tags. Added check to stop if register_globals is enabled. Redirect if the main slogin script is called directly. Changed all scripts to UTF-8. Removed support for the slogin_path variable. Simplified fslogin_setpwfile function. Removed fslogin_norm_filename and fslogin_remove_accents functions. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.6, 2006/01/04: Added example link to the administration page in the index.php script file. Added example user (with email as username) to slog_users.txt and slog_users.php example files. Updated all copyright notices to add the current (2006) year. Added new slogin_allowuser_redirect configuration variable to slogin_lib.inc.php file, to set/unset the per-user postlogin redirection. If enabled, the user is redirected after login to a subdirectory named as his/her username appended to the slogin_default_redirect redirection URL. This fixes Bug #304. Added new configuration constant to slogin_lib.inc.php script (SLOGIN_ADMIN_USERNAME) to set the username of the administrator user. Previously, the user was hardcoded as "admin". Added supporting code to adminlog.php file. This fixes Bug #305. Modified the code in slogin_lib.inc.php that get the username and password from POSTed variables so that it can accept the "at" symbol (@) so that usernames can be email addresses. This fixes Bug #303. Modified authentication code block in slogin_lib.inc.php so that the admin user is not redirected after login or after logout. Previously, the admin user was also redirected as a normal user. This fixes Bug #306. Modified function fslogin_show_logs in slogin_lib.inc.php script file to display the file size (in kb) of each log file. This fixes Bug #307. Added new function fslogin_show_baks to slogin_lib.inc.php script to display a list of compressed backup user-files (linked for download and with a deletion button). This is part of the fix of Bug #310. Added new function fslogin_norm_poststring to slogin_lib.inc.php script to space-trim and delete escaping-slashes from a given string. To be used to clean up received strings from forms. Added new function fslogin_norm_filename to slogin_lib.inc.php script to clean up received filenames from forms. This is part of the fix of Bug #310 and Bug #308. Added new function fslogin_remove_accents to slogin_lib.inc.php script to convert accented characters to ASCII ones. To be used to clean up received filenames from forms. This is part of the fix of Bug #310 and Bug #308. Added new function fslogin_gzip_file to slogin_lib.inc.php script to compress a given file. To be used to create backup copies of the user files. This is part of the fix of Bug #310. Added new function fslogin_del_file to slogin_lib.inc.php script to delete a given file. To be used to delete backup copies of the user files. This is part of the fix of Bug #310. Added code to adminlog.php script file to: list, edit, save, compress the password files; and list, delete the backed up password files. This fixes Bug #308 and Bug #310. Added code to adminlog.php to convert clear text to MD5 hashes (available also while editing the password file), only if MD5 hashes are enabled by the configuration. This fixes Bug #309. Deleted code from slogin_lib.inc.php regarding a "login" GET variable which is no longer used. Added code to slogin_lib.inc.php to record in the log also when the user logout. This fixes Bug #152. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.5, 2005/06/23: Added German language strings contributed by Anja Pregowski (pregoanj@zhwin.ch). Added support for after-logout redirection (after logout, the user is redirected to another page). Added some missing variables in the adminlog.php page (in the showcfg block). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.4, 2005/06/17: Added default language option, so individual pages can have their own language (defined by the per-page slogin_lang variable). Added default page title, to be used in case the including php page don't define one. Added support for after-login redirection (after login in, the user is redirected to another page). Added sanitizing code for user variables. Added French language strings contributed by Christophe Helson (christophe.helson@free.fr). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.3, 2004/12/25: Added support for pages on directories. Previously, we only supported pages on the same directory. Now all pages can be on different subdirectories. A global variable ($slogin_path) is set per-page to define the relative position of the include files (if unset, the script assumes al includes are in the current dir). Fixed a bug that prevented the listing of log files in adminlog.php if configuration variable slogin_canusefopen was set. Added option to adminlog.php to show the current PHP configuration (only available if logged as the admin user). Added option to adminlog.php to show the current SiTeFiLo configuration (only available if logged as the admin user). Added simple navigation to adminlog.php. Added missing title page to adminlog.php. Added license text to slogin_genpass.php. Added missing source-code comments in slogin_lib.inc.php. Fixed bug in function fslogin_show_logs in slogin_lib.inc.php where variable slogin_php_self was not set (was not included in the function scope). Added return value to function fslogin_show_logs in slogin_lib.inc.php with the total number of log files listed. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.2, 2004/10/11: Added support for MD5 hashed (encrypted) passwords in function fslogin_check_user in slogin_lib.inc.php. Added new configuration variable slogin_usehashes to slogin_lib.inc.php. Added example users to slog_users.txt and slog_users.php files with MD5 hashed passwords. Created new script slogin_genpass.php to generate MD5 hashes from a given string. To be used to generate MD5 hashes. Added preset value for username field in slogin.inc.php so that the username field is prefilled with the latest tried username. Added lenght verification for POST and SESSION data, to improve security. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.1, 2004/07/28: Added alternative users file (slog_users.php) to use when fopen is disabled. Added verifications to slogin_lib.inc.php to check if fopen was succesful or not (when reading the user file or writing to the logs). Added checks to adminlog.php for user identity (only admin can see the logs) and if we can use fopen or not. If we are not using fopen we can't show the logs, as there are not logs to show anyway. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1.0.0, 2004/07/14: Initial release. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYvcvrAAoJEL01TJa9jiAVpBoQAME08Ca0CoZ7Kx+1j8bjvwjB 2vNeCuEl3hC2nn901AO0JBE+9M6u0duY84lZsx2Cj+UnWKA1FgK057twqp9G/sWm X3nYuJ0yjr+ZSHh1pxN11az9RYCK4L61hLKPys+NGgKsDh5njr4C3dnzhH5Hu/Ne AHWBzXwBhPutjNb+P3XSukdYXVFael43qXtbVUnieWjh4SyYtCJus2Hmz6vw183j Oq6SoBzF08waptGZX7tnrTiIHINdg1czzil/EzJbVT6e3a34mW1r++Dx4SXMCaou 44kbmYAYRpBoovsZBZyVWFHDUYdcJgJwUyutDYQ6i+6hWFGalMNicCOC8H24PNSW XjMAWFdjIlclzMDShH9IEHtmi4eviuy2m2LgKFhIOJXCfaLyQJXY2OXqa/3zUEQj cve3g4DCM8AWFB43PF+6/c8Q1LZosmGzlWWX4OvcqgTdi9UCa4uiKbmJz0gP9mWK gxScUgRaxh9sCFNJhXy3ftIhmR3UEvGmdoW8ZRBgFzN5zejlc85UA5on8HEud2Gs GwW9uTz5OSpk/rNUq/MERLwKaNdQm+oFgO+AkrGY7HSu3XtrD2Mk5g1jRMpLPd4G dIXAYhjLevpaCYifT15yeu/UPmDfYVmFFxhgnRkZRTMNRPWXY2aK8ELiNCKuw7Wy 13LGM7RCKsitXt1j1Sxc =U/UV -----END PGP SIGNATURE-----