Do not override the passwd string. First it prevents the md5 working if the crypt() check fails and also is useless to override it since the parameter is passed by value and not by reference.
Fix lineup of copyright lines
and module names and other bits of formatting and typos in headercomment sections.
Fix pw syntax when local_group_set() is called with reset == true, -M always require a parameter
Add an extra protection to avoid having an empty group created
Actually require group name!
Do not do operations for empty group members
remove old DISABLE_PHP_LINT_CHECKING, which dates way back to the CVS days and hasn't been relevant in years.
Detect when protocol changes and invalidate session to get a new cookie with secure flag set according. It fixes #3714
Always set httponly attribute on cookies
Add comment I forgot on last commit
Re-generate session ID on a successful login to avoid session fixation
Replace Header() calls by lowercase
Merge branch 'master-br' of https://github.com/ayvis/pfsense into ayvis-master-br
standardize URLs
xhtml Compliancereplaced <br>, <br/> and </br> with <br />
Rmoeve register_long_arrays from php.ini and from php code the use of HTTP_*_VARS as its deprecated and luckily low use in pfSense to win memory and compativility
Provide a more safe way to avoid pw userdel being interactive because of a crontab existance
Revert "local_sync_accounts: provides empty STDIN to pw userdel command"
This reverts commit c6b156bfa537754d079868653ef3561eb1330d8c.
local_sync_accounts: provides empty STDIN to pw userdel command
The /usr/sbin/pw command may wait for user input. For example,if there is a manual crontab settings for :foobar account, thenwhen this account is requested to be deleted, the command willask if user wants to delete crontab settings for the account....
Revert "Add conf_mount_rw calls on functions that changes user/groups. It fixes #3294"
This reverts commit b1e5a286bb47d7e4a5b3d589cc27b557b3b13c41.
Add conf_mount_rw calls on functions that changes user/groups. It fixes #3294
Add LDAP server options to control UTF8-encoding of parameters. Fixes #2227. While I'm here, add a checkbox to prevent the stripping of @ from the LDAP username if the user wants the full name transmitted.
Ignore errors/warnings from these calls
Include both dyndns and rfc2136 hosts in referer check
Include RFC2136 hosts in DNS rebinding checks.
Set LDAP option to dereference aliases when searching
Print the error message from LDAP in the log for a bind failure.
Add a knob in the GUI to set the RADIUS authentication timeout. Previous default was 3s, new is 5s. When using two-factor auth via external (e.g. phone), this needs to be set much higher, 60-120.
Something in the LDAP libraries has changed and it no longer likes spaces in the CA filename. Use the refid for the CA filename since it will always be unqiue, and it will never contain any spaces, unlike authname or the CA's descr.
Removing gettext from strins that should not be translated
Put these logs under debug since that's their purpose
authentication, don't log 'errors' on normal procedure
Not sure why this has been hidden so deep but putting that in the right place should help with error displayed related to HEADER already sent in PHP errors.log
Supress the error message if the ldap bind doesnt happen
Fix LDAP over IPv6 (works fine, just needed slight adjustment to URI)
Import OpenVPN cisco style radius attributes applying policy to logged in users. Feature #2100
Do not allow empty passwords since this might cause problems for some authentication servers like ldap. Fixes #2326
As suggested by wagonza, using SAMEORIGIN for X-Frame-Options is sufficient here, and does allow the traffic graphs to work. Fixes #2419
Add click jacking support. Ticket #2419
Handle HTTPOnly and Secure flags on cookies
Looking at pw code : chars are invalid in a comment fieldgit diff! Replace those to just space
Another try to eliminate the warning 'PHP Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/authgui.inc:201) in /usr/local/www/guiconfig.inc on line 47'
Revert "Check if a session already exists to avoid errors issued by php on sesion_start being called on existing session"
This reverts commit 9b2de7e2a6afab31e1a62ac8d54435975a22a9a7.
Check if a session already exists to avoid errors issued by php on sesion_start being called on existing session
Include admin user in bootup account sync
Be more careful when creating and removing a user, to only alter a user if it really matches the passwd entry. Fixes #2066pw usershow likes to ignore what you want even with -n and if the user is numeric and doesn't exist, it fetches by uid. Can cause major problems if you try to remove a numeric user.
Unbreak a number of explode() replacements which required preg_split()
mhash -> hash change from Ermal
The function split() is replaced by the function explode(). Starting with PHP 5.3 this is deprecated and with version 6 gone.Replacing it surpresses all the warnings
Ticket #1052. Merge patch referenced in ticket.
Do not pass the ldap port separately, but add it to the LDAP URL. PHP's ldap_connect() ignores the passed port parameter if the first parameter is a URL instead of a hostname.
Include certs.inc before calling lookup_ca in auth.inc. Fixes #1927
Check that we have user password otherwise strange things happen if tehre is nothing stored in the config
Added extended query possibility (for example, group membership)
Unbreak the DNS rebind check when accessing over IPv4
Fix the referrer checks for IPv6 addresses Ticket #1583
Fix the DNS rebind Check for IPv6 addresses Ticket #1583
Correct array key typo mistake. Ticket #1052
Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote branch 'upstream/master'
Merge remote-tracking branch 'mainline/master' into inc
Add proper checks in auth code for testing if the section has been set in the config. Also do the same in the ugprade code
Conflicts: etc/inc/gwlb.inc
Add an IPsec xauth permission. Try to use the nologin shell first (just unlock the account). Ticket #1202
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc...
Add IPv6 support to the DNS rebinding attack function
Make it possible to turn off successful login messages, this should quiet the console, system logs
Merge branch 'master' into inc
Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc...
Silence warnings.
allow 127.0.0.1 and localhost for HTTP_REFERER checks
Merge remote branch 'mainline/master' into inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc...
Correct webConfgurator auth/error messages
Add log_auth() which with send items to syslogd using LOG_AUTH facilities. Use this new log_authh() for login error and success entries
Switches must come after the user name when using pw lock/unlock.
Remove authorized_keys file when there are no authorized keys for the user.
Add successful user for sshlockout
Reword auth error message to match ssh for the most part
Revert "Add Active Directory group membership checking Ticket #1009"
This reverts commit ef17372492fb3d271497160a816eba64b3bcf436.
Add Active Directory group membership checking Ticket #1009
Don't consider the HTTP referrer check as passing if it was skipped. Ticket #1027
Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027
Various fixes and improvements for the DNS rebind and HTTP referrer checks.
Add workaround for referrer check to not be triggered on the previous IP address when redirected by the setup wizard.
Conflicts: etc/inc/PEAR.inc etc/inc/filter.inc
Make sure this isn't searching the referrer using a blank host or IP, which will always match the referrer.
Fix case for testing the referrer check setting. Ticket #1011
Don't perform referer check if display_error_form is not defined (captive portal), just like as is done for the DNS rebind check. Ticket #1007
Unset this reference before reusing the variable name to prevent corruption of groups.
Fix a theoretical/potential XSS in the http_referer check warning.
Correct HTTP_REFERER check when using an IP Address vs the Firewalls hostname
Remove trailing carriage return
This will prevent HTML pages from crafting HTML GETs against the web interface and will prevent firewall admins from being "tricked" into clicking on links that may be harmful to their firewall.
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/priv.defs.inc etc/inc/system.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Do not require LDAP search base DN. Requiring this can prevent some valid LDAP configurations from properly authenticating. (See GDD-550841).
Add a note to the DNS Rebinding protection error letting the user know to try by IP address.
Convert fullname field on users to descr, so it gains CDATA protection.
More gettext fixes