Top Level :: Authentication

Package Information: LiveUser 0.16.9

Show All Changelogs
» Version » Information
0.16.13 2008-01-28     beta
0.16.12 2006-08-22     beta
0.16.11 2006-04-19     beta
0.16.10 2006-02-27     beta
0.16.9Download

Release date: 2006-02-21 19:38 UTC
Release state: beta

Changelog:

This releases fixes a minor security issue that is limited to the optional
remember me feature. This issue was report to us by GulfTech Security Research.

The issue would allow an attacker to determine the existance of files inside the
file system, as well as being able to delete files:
- if the relativ path is shorter than 32 characters (including a null
byte)
- if null bytes are handled inside the "_COOKIE" superglobal, for example
through usage of magic_quotes_gpc, the issue becomes essentially limited to
files ending with ".lu".

All installations using the remember me feature are strongly urged to update.
This release also changes some other aspects including a BC break so developers
can optionally patch their current installations from the changes in the
following commit:
http://cvs.php.net/viewcvs.cgi/pear/LiveUser/LiveUser.php?r1=1.148&r2=1.149&diff_format=u

- fixed major bug in PEARAuth container: auth_user_id is not an optional property
- added passwordEncryptionMode and secret to phpdoc comment
- made cryptRC4() method public to match usage in auth common in the client and admin api
- fixed handling of the secret user defineable property (bug #6551)
- added support for user_group_ids (bug #6517)
- allow grouprights and groupusers table to join eachother
- updateProperty doesn't update the session (bug #6612)
- renamed "connection" config option to "dbc" *BC BREAK*
- cleaned up and unified init() in the storage classes
- added example for dumping SQL to a file to installer
- add support for force_seq to installer
- removed allowDuplicateHandles and allowEmptyPasswords options, they are now
handled through the table definition in the given Globals.php (overwriteable
via the config array) *BC BREAK*
- initial untested support for PDO in the installer
- added examples for setting length and defaults to installer
- use overwrite when unlink is enabled in the installer
- reworked handling of merging user with group rights *BC BREAK*
When using the Medium or Complex container a user may gain rights through direct
assignment or through membership in a group that has rights assigned. The user
and group rights are merged with the following logic:
* if the right is only assigned to a member group but not the user the right is
available to the user at the level at which the group has the right
* if the right is only assigned to the user at a level greater than zero but not
to a member group the right is available to the user at the level at which
user has the right
* if the right is only assigned to the user at a level equal to zero but not
to a member group the right is available to the user at the level at which
user has the right
* if the right is only assigned to the user at a level lower than zero but not
to a member group then the right is unavailable to the user
* if the is assigned to a member group and the user and the level at which the
user has the right is greater than zero, then the right is available to the
user at higher level of the two
* if the is assigned to a member group and the user and the level at which the
user has the right is equal to zero, then the right is unavailable to the user
* if the is assigned to a member group and the user and the level at which the
user has the right is lower than zero, then the right is available to the
user at the minimum of the group assigned level and the addition of the
negativ user level and the maximum level
Example:
The user as the following right_id => level pairs
array
1 => 3
2 => -2
3 => 0
5 => -1

The groups he is a member of have the following right_id => level pairs
array
1 => 1
2 => 3
3 => 3
4 => 2

The final right_id => level pairs are as follows
array
1 => 3 // user has a higher level (3) than the group level (1)
2 => 1 // 3 - 2 means a maximum possible level of 1
4 => 2 // only group has the right at level 2
5 => 2 // only user has the right at level 3 - 1 = 2

Dependencies:
  • PHP Version: PHP 4.2.0 or newer
  • PEAR Package: PEAR Installer 1.3.3 or newer
  • PEAR Package: Event_Dispatcher
  • PEAR Package: Log 1.7.0 or newer (optional)
  • PEAR Package: DB 1.6.0 or newer (optional)
  • PEAR Package: MDB 1.1.4 or newer (optional)
  • PEAR Package: MDB2 2.0.0RC1 or newer (optional)
  • PEAR Package: MDB2_Schema (optional)
  • PEAR Package: XML_Tree (optional)
  • PEAR Package: Crypt_RC4 (optional)
0.16.8 2005-12-21     beta
0.16.7 2005-10-10     beta
0.16.6 2005-09-02     beta
0.16.5 2005-08-17     beta
0.16.4 2005-08-15     beta
0.16.3 2005-08-09     beta
0.16.2 2005-07-20     beta
0.16.1 2005-07-05     beta
0.16.0 2005-06-21     beta
0.15.1 2005-03-30     beta
0.15.0 2005-03-15     beta
0.14.0 2004-12-20     beta
0.13.3 2004-10-23     beta
0.13.2 2004-10-13     beta
0.13.1 2004-10-02     beta
0.13.0 2004-09-30     beta
0.12.0 2004-06-19     beta
0.11.1 2004-04-28     beta
0.11.0 2004-04-28     beta
0.10.0 2004-03-11     beta
0.9 2003-10-09     beta
0.8.1 2003-08-28     beta
0.8 2003-08-27     beta
0.7 2003-06-01     alpha
0.6.1 2003-03-18     alpha
0.6 2003-03-17     alpha
0.5.1 2003-03-11     alpha
0.5 2003-03-11     alpha
0.3 2002-10-10     alpha