[aur-dev] [PATCH 1/2] Add a configuration setting to disallow HTTP login

Lukas Fleischer archlinux at cryptocrack.de
Thu Aug 11 12:06:00 EDT 2011 

If this is enabled, do not show the login form and display a note
suggesting to switch to a secure connection if a user accesses the site
via HTTP.

Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
 web/lib/aur.inc.php          |    7 +++++--
 web/lib/config.inc.php.proto |    3 +++
 web/template/login_form.php  |   10 +++++++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 0927604..474ebee 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -326,9 +326,12 @@ function html_header($title="") {
 	global $_POST;
 	global $LANG;
 	global $SUPPORTED_LANGS;
+	global $DISABLE_HTTP_LOGIN;
 
-	$login = try_login();
-	$login_error = $login['error'];
+	if (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) {
+		$login = try_login();
+		$login_error = $login['error'];
+	}
 
 	$title = htmlspecialchars($title, ENT_QUOTES);
 
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
index f710844..0f672ab 100644
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@@ -71,3 +71,6 @@ $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
 # please ensure "upload_max_filesize" is additionally set to no more than 3M,
 # otherwise this check might be easy to bypass (FS#22991 for details)
 $MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;
+
+# Allow HTTPs logins only
+$DISABLE_HTTP_LOGIN = true;
diff --git a/web/template/login_form.php b/web/template/login_form.php
index ca81e0e..b351a27 100644
--- a/web/template/login_form.php
+++ b/web/template/login_form.php
@@ -6,7 +6,7 @@ if (isset($_COOKIE["AURSID"])) {
  <a href="logout.php">[<?php print __("Logout"); ?>]</a>
 <?php
 }
-else {
+elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) {
 	if ($login_error) {
 		print "<span class='error'>" . $login_error . "</span><br />\n";
 	}
@@ -26,5 +26,13 @@ else {
 	<a href="passreset.php">[<?php echo __('Forgot Password') ?>]</a>
 	</div>
 </form>
+<?php
+}
+else {
+?>
+<span class='error'>
+	<?php echo __("HTTP login is disabled. Please switch to HTTPs if you want to login: "); ?>
+	<a href="https://aur.archlinux.org/">https://aur.archlinux.org/</a>
+</span>
 <?php } ?>
 </div>
-- 
1.7.6

More information about the aur-dev mailing list