CASyfing Open Upload
- Richard Pare
openupload-0.4.2-patch-casyfing.patch
Open Upload is a PHP application to create a private / public file download server similar to MegaUpload or RapidShare.
Version 0.4.2 offered only two types of authentication: default and ldap. With these types of authentication, you must use Open Upload's login form.
The goal is modify application to accept authentication from an external form-based.
mod_auth_cas, or PHPCAS, that is the question
In both cases, you must modify source code. But I prefer to use mod_auth_cas for three reasons :
- When user is authentified, user code can be written in the Apache access log.
- You can CASyfing many applications with the same module (if installed on Apache proxy).
- This patch can be reused for any form-based authentication.
Source code modifications
I found a patch on sourceforge website (see url below). This patch adds a new authentication type called httpldap. I modified this patch to add new features.
My new features are :
- Added a logout url.
- Display an error message when it can't get the list of LDAP groups to the user.
- Block access to the Open Upload's login form.
The following sections describe changes to the application.
New parameters
First changes are : adding a new type of authentication httpldap and two new parameters for this new type.
In config.inc.php file
auth parameter
You must specify the type httpldap.
login parameter (NEW)
The value is the name of the variable whose content is the user code.
- User code from mod_auth_cas (Directive CASAuthNHeader).
- Remember, if mod_auth_cas is installed on Apache proxy, the variable name is prefixed with HTTP_.
urlexit parameter (NEW)
The value is a URL where user will be redirected after logout.
show 1
You can see an example of setting in the config.inc.php.example file.
Index: www/config.inc.php.example
===================================================================
@@ -44,6 +44,14 @@
# $CONFIG['auth'] = 'ldap';
$CONFIG['auth'] = 'default';
+/************************************************************
+ * HTTP/LDAP detail configuration options *
+ ************************************************************/
+# $CONFIG['auth'] = 'httpldap';
+/* This is the field which contains user login */
+# $CONFIG['httpldap']['login'] = 'HTTP_AUTH_USER';
+/* This is the field which contains a URL redirect after logout */
+# $CONFIG['httpldap']['urlexit'] = 'http://';
/* TRANSLATION MODULE */
#$CONFIG['translator']='none';
httpldap module
This module is added to the directory /lib/modules/auth/. This module is a fake authenticator. Anyway, user is already authenticated.
show 2
Index: lib/modules/auth/httpldap.inc.php
===================================================================
@@ -0,0 +1,31 @@
+<?php
+
+require_once("ldap.inc.php");+class httpldapAuth extends ldapAuth {+
+ function httpldapAuth() {+ }
+
+ function init() {+ $this->config = app()->config['ldap'];
+ $this->http = app()->config['httpldap'];
+ $this->ufield = isset($this->config['uid'])?$this->config['uid']:'uid';
+ $this->gfield = isset($this->config['gid'])?$this->config['gid']:'gid';
+
+ /* Which field contains the user login ? */
+ $this->http['login'] = isset($this->http['login'])?$this->http['login']:'HTTP_AUTH_USER';
+
+ /* cannot add or edit users for now */
+ $this->features = array('useradmin' => 'no', 'groupadmin' => 'no');+ }
+
+ function authenticate($login,$password) {+ $result = false;
+ if ($_SERVER{$this->http['login']} == $login)+ $result = true;
+ return $result;
+ }
+
+}
+?>
+
Authentication bypass
You need a bypass to avoid Open Upload's login form. In the following example, bypass is used if authentication type is httpldap. Authentication process will be called.
Loop problem
Details
The unauthenticated user has the default group unregister. The login action is available to user with default group (g and d actions are also available, but they aren't relevant for this problem). During authentication phase, if it's impossible to obtain the list of LDAP groups. User keeps the default group and an endless loop occurs.
Resolution
After authentication, if user keeps the default group, the program is stopped and an error message is displayed.
show 3
Index: lib/main.inc.php
===================================================================
@@ -485,9 +485,28 @@
$this->db->free();
exit(0);
} else {
- /* save the requested url */
- redirect('?action=login');
- }
+ /* Check if HTTP auth is used */
+ if (($this->config['auth']=='httpldap') &&
+ isset($_SERVER{$this->config['httpldap']['login']})) {
+
+ $this->user->authenticate();
+
+ if ($this->user->group() == $this->config['register']['nologingroup']) {
+ $this->log('error','login','','DENY',"this user isn't member any LDAP Openupload group or the software can't access informations about user");
+ $this->tpl->assign('user',$this->user->info());
+ $this->tpl->assign('langs',$this->langs);
+ unset($_SESSION['user']['messages']);
+ unset($_SESSION['user']['errors']);
+ $this->page['content']=tr('ACCESS DENIED TO THIS SOFTWARE!');
+ $this->tpl->assign('page',$this->page);
+ $this->display($this->mainPage);
+ $this->db->free();
+ exit(0);
+ }
+ } else {
+ /* save the requested url */
+ redirect('?action=login');
+ } }
}
if ($_SERVER['QUERY_STRING']!='')
$_SESSION['requested_url']='?'.$_SERVER['QUERY_STRING'];
Authentification and logout
logout function
This function is called when user logout. Instead of redirect user to Open Upload's login form, he is redirected to logout url.
authenticate function
This function is called during authentication phase. if authentication type is httpldap, user code is passed to the fake authenticator (httpldap). After the user information will be obtained from LDAP.
show 4
Index: lib/user.inc.php
===================================================================
@@ -19,7 +19,9 @@
unset($_SESSION['user']);
$_SESSION['user']['messages'] = $messages;
$_SESSION['user']['errors'] = $errors;
- redirect('?action=login');+
+ $urlexit = isset(app()->config['httpldap']['urlexit'])?app()->config['httpldap']['urlexit']:'?action=login';
+ redirect($urlexit);
}
function loggedin() {@@ -69,11 +71,17 @@
return true;
// if it's logging in save user and pwd
- if (isset($_POST['username'])) {+
+ if ((app()->config['auth']=='httpldap') &&
+ isset($_SERVER{app()->config['httpldap']['login']})) {+ $username = $_SERVER{app()->config['httpldap']['login']};+ $password = $_SERVER{app()->config['httpldap']['login']};+ }
+ elseif (isset($_POST['username'])) {$username = $_POST['username'];
$password = $_POST['pwd'];
}
-
+
if ($username != '') {// use the default authentication method
$res = $this->auth->authenticate($username,$password);
Remove Open Upload's login form choice from menu
You must remove the choice login in menu.
show 5
Index: lib/modules/default/auth.inc.php
===================================================================
@@ -37,7 +37,10 @@
function init() {
if (!app()->user->loggedin()) {
- $this->menu['login']=tr('Login');
+ // remove login choice in menu if HTTP auth is used
+ if (app()->config['auth']!='httpldap') {
+ $this->menu['login']=tr('Login');
+ }
} else {
if (app()->auth->features['useradmin']=='yes')
$this->menu['profile']=tr('Preferences');
Block access to the Open Upload's login form
Open Upload's login form is still available, you must block access. I use mod_rewrite to do this.
show 6
RewriteEngine On
RewriteCond %{QUERY_STRING} (a(.*)+=login)
RewriteRule ^(.*)$ $1? [R=301,L]
Conclusion
Open Upload is an efficient application. Among the free file download applications that I evaluated, it's more complete.