Server side :
* Trim password and login before instertion * Can use empty master key to see user passwords * Fix a bug : can't decode multiple queries from client Client side : * Don't send empty username * Update README
This commit is contained in:
parent
4fd1f1e92f
commit
67d21ff3ef
|
@ -20,7 +20,7 @@ Usage
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
|
||||||
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" to point to your password server (+ username).
|
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" to point to your password server (+ username). Be careful, login and password are case sensitive.
|
||||||
|
|
||||||
When you're in a login form and you want to use gPass, type your login and fill "@@masterkey" in password field. Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
|
When you're in a login form and you want to use gPass, type your login and fill "@@masterkey" in password field. Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ For now the only addons made is for firefox. Server side is written in PHP (with
|
||||||
Server
|
Server
|
||||||
------
|
------
|
||||||
|
|
||||||
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in ressources.
|
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in ressources. For enhanced security, it's better to put the password server under https.
|
||||||
|
|
||||||
You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php.
|
You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php.
|
||||||
You can activate/deactivate user creation by setting $ADMIN_MODE in index.php.
|
You can activate/deactivate user creation by setting $ADMIN_MODE in index.php.
|
||||||
|
|
|
@ -68,13 +68,13 @@ function on_sumbit()
|
||||||
|
|
||||||
debug("salt " + salt);
|
debug("salt " + salt);
|
||||||
|
|
||||||
// Get all <input type="text">
|
// Get all <input type="text"> && <input type="email">
|
||||||
for (i=0; i<fields.length; i++)
|
for (i=0; i<fields.length; i++)
|
||||||
{
|
{
|
||||||
var field = fields[i];
|
var field = fields[i];
|
||||||
if (field.getAttribute("type") == "text" || field.getAttribute("type") == "email")
|
if (field.getAttribute("type") == "text" || field.getAttribute("type") == "email")
|
||||||
{
|
{
|
||||||
if (field.hasAttribute("name"))
|
if (field.hasAttribute("name") && field.value != "")
|
||||||
my_map.put(field.getAttribute("name"), field.value);
|
my_map.put(field.getAttribute("name"), field.value);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -177,8 +177,8 @@ function add_entry($user, $mkey, $url, $login, $password)
|
||||||
|
|
||||||
if ($db == null) return false;
|
if ($db == null) return false;
|
||||||
|
|
||||||
$password = encrypt($mkey, $password, true);
|
$password = encrypt($mkey, trim($password), true);
|
||||||
$login = encrypt($mkey, "@@" . $url . ";" . $login, false);
|
$login = encrypt($mkey, "@@" . trim($url) . ";" . trim($login), false);
|
||||||
|
|
||||||
if ($password == null || $login == null)
|
if ($password == null || $login == null)
|
||||||
return false;
|
return false;
|
||||||
|
@ -232,6 +232,8 @@ function list_entries($user, $mkey)
|
||||||
|
|
||||||
if ($mkey != "")
|
if ($mkey != "")
|
||||||
$login = decrypt($mkey, $row['login'], false);
|
$login = decrypt($mkey, $row['login'], false);
|
||||||
|
else
|
||||||
|
$login = "";
|
||||||
|
|
||||||
if ($login[0] != '@' && $login[1] != '@')
|
if ($login[0] != '@' && $login[1] != '@')
|
||||||
{
|
{
|
||||||
|
|
|
@ -107,7 +107,7 @@ else
|
||||||
}
|
}
|
||||||
echo "</select>\n";
|
echo "</select>\n";
|
||||||
echo ' <b>Master key </b> <input id="see_password" type="password" name="mkey"/>';
|
echo ' <b>Master key </b> <input id="see_password" type="password" name="mkey"/>';
|
||||||
echo "<input name=\"see\" type=\"submit\" value=\"See\" onclick=\"a=document.getElementById('selected_user') ; return derive_mkey(a.options[a.selectedIndex].value, 'see_password') ;\"/>" . "\n";
|
echo "<input name=\"see\" type=\"submit\" value=\"See\" onclick=\"if (document.getElementById('see_password').value == '') return true; a=document.getElementById('selected_user') ; return derive_mkey(a.options[a.selectedIndex].value, 'see_password') ;\"/>" . "\n";
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -45,7 +45,8 @@ for ($i=0; isset($_POST["k$i"]); $i++)
|
||||||
{
|
{
|
||||||
$statement->bindValue(":login", $_POST["k$i"]);
|
$statement->bindValue(":login", $_POST["k$i"]);
|
||||||
$result = $statement->execute();
|
$result = $statement->execute();
|
||||||
$row = $result->fetchArray();
|
$row = $result->fetchArray(SQLITE3_ASSOC);
|
||||||
|
$result->finalize();
|
||||||
if (isset($row["password"]))
|
if (isset($row["password"]))
|
||||||
{
|
{
|
||||||
echo "pass=" . $row["password"] . "\n";
|
echo "pass=" . $row["password"] . "\n";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user