1<?php
2/**
3 * Coppermine Photo Gallery
4 *
5 * v1.0 originally written by Gregory Demar
6 *
7 * @copyright  Copyright (c) 2003-2021 Coppermine Dev Team
8 * @license    GNU General Public License version 3 or later; see LICENSE
9 *
10 * login.php
11 * @since  1.6.10
12 */
13
14define('IN_COPPERMINE', true);
15define('LOGIN_PHP', true);
16
17require 'include/init.inc.php';
18
19if (USER_ID) {
20    cpg_die(ERROR, $lang_login_php['err_already_logged_in'], __FILE__, __LINE__);
21}
22
23if (defined('UDB_INTEGRATION')) {
24    $cpg_udb->login_page();
25}
26
27if (strpos($CPG_REFERER, "logout.php") !== false || strpos($CPG_REFERER, "register.php") !== false) {
28    $CPG_REFERER = "index.php";
29}
30
31$login_failed   = '';
32$cookie_warning = '';
33
34if ($superCage->post->keyExists('submitted')) {
35
36    if ($USER_DATA = $cpg_udb->login($superCage->post->getEscaped('username'), $superCage->post->getEscaped('password'), $superCage->post->getInt('remember_me'))) {
37        //$referer=preg_replace("'&amp;'","&",$referer);
38
39        // Write the log entry
40        if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
41            log_write('The user ' . $USER_DATA['user_name'] . ' (user ID ' . $USER_DATA['user_id'] . ") logged in.", CPG_ACCESS_LOG);
42        }
43
44        // Set the language preference
45        $sql = "UPDATE {$CONFIG['TABLE_USERS']} SET user_language = '{$USER['lang']}' WHERE user_id = {$USER_DATA['user_id']}";
46        $result = cpg_db_query($sql);
47
48        $cpg_udb->authenticate();
49        if (!$USER_DATA['has_admin_access']) {
50            unset($USER['am']);
51            user_save_profile();
52        }
53
54        $redirect = ($CPG_REFERER && (strpos($CPG_REFERER, 'login.php') === false)) ? $CPG_REFERER : 'index.php';
55        $pending_approvals = ($USER_DATA['has_admin_access'] && cpg_get_pending_approvals() > 0) ? '<br />'.$lang_gallery_admin_menu['upl_app_title'] : '';
56        cpgRedirectPage($redirect, $lang_login_php['login'], sprintf($lang_login_php['welcome'], $USER_DATA['user_name']).$pending_approvals, 3, 'success');
57        exit;
58
59    } else {
60        // Write the log entry
61        log_write("Failed login attempt at IP $hdr_ip with Username: " . $superCage->post->getEscaped('username'), CPG_SECURITY_LOG);
62
63        $login_failed = <<<EOT
64                  <tr>
65                      <td colspan="2" class="tableh2">
66                          <div id="cpgMessage" class="cpg_user_message cpg_message_validation">
67                              {$lang_login_php['err_login']}
68                          </div>
69                      </td>
70                  </tr>
71EOT;
72
73        // get IP address of the person who tried to log in, look it up on the banning table and increase the brute force counter. If the brute force counter has reached a critical limit, set a regular banning record
74        $result = cpg_db_query("SELECT ban_id, brute_force FROM {$CONFIG['TABLE_BANNED']} WHERE ip_addr = '$raw_ip' OR ip_addr = '$hdr_ip' LIMIT 1");
75        $failed_logon_counter = $result->fetchAssoc(true);
76
77        $expiry_date = date("Y-m-d H:i:s", mktime(date('H'), date('i') + $CONFIG['login_expiry'], date('s'), date('m'), date('d'), date('Y')));
78
79        if ($failed_logon_counter && $failed_logon_counter['brute_force']) {
80            $failed_logon_counter['brute_force'] = $failed_logon_counter['brute_force'] - 1;
81            $query_string = "UPDATE {$CONFIG['TABLE_BANNED']} SET brute_force = {$failed_logon_counter['brute_force']}, expiry = '$expiry_date' WHERE ban_id = {$failed_logon_counter['ban_id']}";
82        } else {
83            $failed_logon_counter['brute_force'] = $CONFIG['login_threshold'];
84            $query_string = "INSERT INTO {$CONFIG['TABLE_BANNED']} (ip_addr, expiry, brute_force) VALUES ('$raw_ip', '$expiry_date', {$failed_logon_counter['brute_force']})";
85        }
86
87        //write the logon counter to the database
88        cpg_db_query($query_string);
89    }
90}
91
92if (!$superCage->cookie->keyExists($CONFIG['cookie_name'] . '_data')) {
93
94    if (!$superCage->get->keyExists('reload_once')) {
95        $ref = $CPG_REFERER ? '?reload_once&referer='.urlencode($CPG_REFERER) : '?reload_once';
96        cpgRedirectPage('login.php'.$ref);
97    }
98
99    $cookie_warning = <<<EOT
100                  <tr>
101                      <td colspan="2" align="center" class="tableh2">
102                          <span style="color:red"><strong>{$lang_login_php['cookie_warning']}</strong></span>
103                      </td>
104                  </tr>
105
106EOT;
107}
108
109if ($CONFIG['reg_requires_valid_email'] == 1) {
110    $send_activation_link = '<br /><a href="send_activation.php" class="topmenu">'.$lang_login_php['send_activation_link'].'</a>';
111} else {
112    $send_activation_link = '';
113}
114
115pageheader($lang_login_php['login']);
116
117if ($superCage->get->getInt('force_login')) {
118    msg_box($lang_login_php['force_login_title'], $lang_login_php['force_login']);
119}
120
121//$referer = urlencode($referer);
122$username_icon = cpg_fetch_icon('my_profile', 2);
123$password_icon = cpg_fetch_icon('key_enter', 2);
124$ok_icon = cpg_fetch_icon('ok', 2);
125
126echo '<form action="login.php?referer=' . urlencode($CPG_REFERER) . '" method="post" name="loginbox" id="cpgform">';
127
128starttable(-1, cpg_fetch_icon('login', 2) . $lang_login_php['enter_login_pswd'], 2);
129
130//see how users are allowed to login, can be username, email address or both
131$login_method = $lang_login_php[$CONFIG['login_method']];
132
133echo <<<EOT
134                  $login_failed
135                  $cookie_warning
136                  <tr>
137                      <td class="tableb" width="40%">{$username_icon}{$login_method}</td>
138                      <td class="tableb" width="60%"><input type="text" class="textinput" name="username" style="width: 100%" tabindex="1" /></td>
139                  </tr>
140                  <tr>
141                      <td class="tableb">{$password_icon}{$lang_login_php['password']}</td>
142                      <td class="tableb"><input type="password" class="textinput" name="password" style="width: 100%" tabindex="2" /></td>
143                  </tr>
144                  <tr>
145                      <td colspan="2" align="center" class="tableb"><label for="remember_me">{$lang_login_php['remember_me']} </label><input name="remember_me" id="remember_me" type="checkbox" class="checkbox" value="1" tabindex="3" /></td>
146                  </tr>
147                  <tr>
148                      <td align="center" class="tablef">
149                          <a href="forgot_passwd.php" class="topmenu">{$lang_login_php['forgot_password_link']}</a>
150                          $send_activation_link
151                      </td>
152                      <td align="left" class="tablef">
153                        <!--<input name="submitted" type="submit" class="button" value="{$lang_login_php['login']}" tabindex="4" />-->
154                        <button type="submit" class="button" name="submitted" value="{$lang_common['ok']}"  tabindex="4">{$ok_icon}{$lang_common['ok']}</button>
155                      </td>
156                  </tr>
157
158EOT;
159
160endtable();
161
162echo <<<EOT
163
164</form>
165<script language="javascript" type="text/javascript">
166<!--
167document.loginbox.username.focus();
168-->
169</script>
170EOT;
171
172pagefooter();
173
174//EOF