3.2.4: security updates

mufasser · Feb 29, 2016 · 7490afd · 7490afd
1 parent 5f7ad76
commit 7490afd
Show file tree

Hide file tree

Showing 19 changed files with 179 additions and 58 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@
 * [APIs](#apis)
 * [System Requirements](#system-requirements)
 * [Installation](#installation)
+* [Updates](#updates)
 * [Conclusion](#conclusion)
 * [What's New](#whats-new)
 * [Fork It!](#forkit)
@@ -33,8 +34,8 @@
 
 CI3 Fire Starter is a CodeIgniter3 skeleton application that includes [jQuery](https://jquery.com/) and
 [Twitter Bootstrap](http://getbootstrap.com/). It is intended to be light weight, minimalistic and not
-get in your way of building great CodeIgniter 3 applications. It is also intended for newbies who want
-a simple, easy platform for learning CodeIgniter.
+get in your way of building great CodeIgniter 3 applications. It is also intended for new CodeIgniter
+developers who want a simple, easy platform for learning the framework.
 
 * CodeIgniter 3.x
 * Base controllers for Public, Private, Admin and API classes
@@ -58,12 +59,11 @@ a simple, easy platform for learning CodeIgniter.
 * Basic admin tool with dashboard, user management, settings and Contact Us message list
 * File-based sessions
 
-That should be the least needed to kickstart many CodeIgniter 3 projects. While there are many great
-CodeIgniter CMS applications ([see below](#conclusion)), sometimes you don't need a full CMS, or you need
-something much simpler than what's available, or you need a completely customizable solution. That's
-why I created CI3 Fire Starter. I was tired of always having to do the same things over and over again.
-So I took some best practices, included all the addons and functions I most commonly use, and this
-was the end result, which I now use to start the majority of my projects.
+That should cover the basic needs for kickstarting many small CodeIgniter 3 projects. While there are some
+great CodeIgniter CMS applications ([see below](#conclusion)), sometimes you don't need a full CMS or you
+need a completely customizable solution. That's why I created CI3 Fire Starter. I was tired of always
+having to do the same things over and over again. So I took some best practices, included all the addons and
+functions I most commonly use, and this was the end result, which I use to start many of my smaller projects.
 
 I hope you find it useful. **Please [fork it on Github](https://github.com/JasonBaier/ci3-fire-starter/fork "Fork It")
 and help make it better!**
@@ -79,8 +79,8 @@ visit [php.net](http://php.net/). If you need to learn more about CodeIgniter, v
 
 The former versions of CI Fire Starter (prior to v3.0.0) used to utilize wiredesign's
 [Modular Extensions](https://bitbucket.org/wiredesignz/codeigniter-modular-extensions-hmvc). At this
-time I have opted not to include it, however, if you have an argument in support of reimplementing it, just let me know and
-we can open it up for discussion.
+time I have opted not to include it, however, if you have an argument in support of reimplementing it,
+just let me know and we can open it up for discussion.
 
 <a name="base-classes"></a>
 ## BASE CLASSES
@@ -144,8 +144,8 @@ Several core files have been included to simplify customizations:
 #### Core Config
 
 In /application/config there is a file core.php. This file allows you to set site-wide variables. It
-is set up with site version, default templates, pagination settings, enable/disable the profiler and
-default form validation error delimiters.
+is set up with site version, default templates, pagination settings, login attempt settings,
+enable/disable the profiler and default form validation error delimiters.
 
 <a name="core-language"></a>
 #### Core Language
@@ -156,25 +156,26 @@ variables that could be used throughout the entire site (such as the words Home
 <a name="core-helper"></a>
 #### Core Helper
 
-In /application/helper is a file core\_helper.php. This includes the following useful functions:
+In /application/helpers is a file core\_helper.php. This includes the following useful functions:
 
 * display\_json($array) - used to output an array as JSON in a human-readable format - used by the API
 * json\_indent($array) - this is the function that actually creates the human-readable JSON string
 * array\_to\_csv($array, $filename) - exports an array into a CSV file (see admin user list)
 * generate\_random\_pasword() - used to reset password for users who forgot password
+* get\_languages() - retrieves a list of all language folders
 
 <a name="i18n"></a>
 ## INTERNATIONALIZATION
 
 Thanks to contributions from the community, the list of language translations is growing:
 
-* English
+* Chinese (Simplified)
 * Dutch
+* English (default)
 * Indonesian
-* Turkish
-* Spanish
-* Simplified Chinese
 * Russian
+* Spanish
+* Turkish
 
 Registered users can set their own preferred language, admins can set preferred languauges for each user, and
 non-registered users can use the language selector to render the site in their preferred language. The application
@@ -421,6 +422,11 @@ for the complete list.
 * The default welcome page includes links to the admin tool and the private user profile page
 * Make sure you log in to admin and change the administrator password!
 
+<a name="updates"></a>
+## UPDATES
+
+Since version 3.2.4, anytime changes to the database are required, you'll find SQL files in /assets/schema\_updates.
+
 <a name="conclusion"></a>
 ##CONCLUSION
 
@@ -439,6 +445,16 @@ or need a more robust starting point, then check out one of these great applicat
 <a name="whats-new"></a>
 ## WHAT'S NEW
 
+#### Version 3.2.4
+02/29/2016
+
+* Security Updates
+    + Limit login requests
+    + Improved encryption key (you still should replace it with your own)
+    + Set username and password lengths
+* Added 'email' form input fields where applicable for better mobile support
+* Added new 'schema\_updates' folder in the 'assets' folder - includes SQL for new 'login\_attempt' table
+
 #### Version 3.2.3
 01/20/2016
 

diff --git a/application/config/config.php b/application/config/config.php
@@ -311,7 +311,7 @@
 | http://codeigniter.com/user_guide/libraries/encryption.html
 |
 */
-$config['encryption_key'] = 'Ñ`╣ò╕n~Å╪‼╘♀Vσ≤♫';
+$config['encryption_key'] = hex2bin('c5cbd013b4a1eaf8654ecf26944faf66');
 
 /*
 |--------------------------------------------------------------------------

diff --git a/application/config/core.php b/application/config/core.php
@@ -6,8 +6,8 @@
  */
 
 // Site Details
-$config['site_version']          = "3.2.3";     // this is CI3 Fire Starter version - set it to 1.0.0 for your new project
-$config['root_folder']           = "htdocs";    // set to whatever your webroot is (htdocs, public_html, etc.) - MAKE SURE you rename the /htdocs folder locally
+$config['site_version']          = "3.2.4";     // this is CI3 Fire Starter version - set it to 1.0.0 for your new project
+$config['root_folder']           = "htdocs";    // set to whatever your webroot is (htdocs, public_html, etc.) - MAKE SURE you physically rename the /htdocs folder
 $config['public_theme']          = "Default";   // folder containing your public theme
 $config['admin_theme']           = "Admin";     // folder containing your admin theme
 
@@ -16,6 +16,10 @@
 $config['full_tag_open']         = "<div class=\"pagination\">";
 $config['full_tag_close']        = "</div>";
 
+// Login Attempts
+$config['login_max_time']        = 10;        // in seconds
+$config['login_max_attempts']    = 3;
+
 // Miscellaneous
 $config['profiler']              = FALSE;
 $config['error_delimeter_left']  = "";

diff --git a/application/controllers/User.php b/application/controllers/User.php
@@ -48,40 +48,54 @@ function login()
 
         // set form validation rules
         $this->form_validation->set_error_delimiters($this->config->item('error_delimeter_left'), $this->config->item('error_delimeter_right'));
-        $this->form_validation->set_rules('username', lang('users input username_email'), 'required|trim');
-        $this->form_validation->set_rules('password', lang('users input password'), 'required|trim|callback__check_login');
+        $this->form_validation->set_rules('username', lang('users input username_email'), 'required|trim|max_length[256]');
+        $this->form_validation->set_rules('password', lang('users input password'), 'required|trim|max_length[72]|callback__check_login');
 
-        if ($this->form_validation->run() == TRUE)
+        $ok_to_login = $this->users_model->login_attempts();
+
+        // limit number of login attempts
+        if ($ok_to_login)
         {
-            if ($this->session->userdata('redirect'))
-            {
-                $redirect = $this->session->userdata('redirect');
-                $this->session->unset_userdata('redirect');
-                redirect($redirect);
-            }
-            else
+            if ($this->form_validation->run() == TRUE)
             {
-                $logged_in_user = $this->session->userdata('logged_in');
-                if ($logged_in_user['is_admin'])
+                if ($this->session->userdata('redirect'))
                 {
-                    redirect('admin');
+                    // redirect to desired page
+                    $redirect = $this->session->userdata('redirect');
+                    $this->session->unset_userdata('redirect');
+                    redirect($redirect);
                 }
                 else
                 {
-                    redirect(base_url());
+                    $logged_in_user = $this->session->userdata('logged_in');
+                    if ($logged_in_user['is_admin'])
+                    {
+                        // redirect to admin dashboard
+                        redirect('admin');
+                    }
+                    else
+                    {
+                        // redirect to landing page
+                        redirect(base_url());
+                    }
                 }
             }
         }
 
         // setup page header data
-		$this->add_css_theme( 'login.css' );
+        $this->set_title(lang('users title login'));
 
-        $this->set_title( lang('users title login') );
+		$this->add_css_theme('login.css');
 
         $data = $this->includes;
 
+        // set content data
+        $content_data = array(
+            'ok_to_login' => $ok_to_login
+        );
+
         // load views
-        $data['content'] = $this->load->view('user/login', NULL, TRUE);
+        $data['content'] = $this->load->view('user/login', $content_data, TRUE);
         $this->load->view($this->template, $data);
     }
 
@@ -107,7 +121,7 @@ function register()
         $this->form_validation->set_rules('username', lang('users input username'), 'required|trim|min_length[5]|max_length[30]|callback__check_username');
         $this->form_validation->set_rules('first_name', lang('users input first_name'), 'required|trim|min_length[2]|max_length[32]');
         $this->form_validation->set_rules('last_name', lang('users input last_name'), 'required|trim|min_length[2]|max_length[32]');
-        $this->form_validation->set_rules('email', lang('users input email'), 'required|trim|max_length[128]|valid_email|callback__check_email');
+        $this->form_validation->set_rules('email', lang('users input email'), 'required|trim|max_length[256]|valid_email|callback__check_email');
         $this->form_validation->set_rules('language', lang('users input language'), 'required|trim');
         $this->form_validation->set_rules('password', lang('users input password'), 'required|trim|min_length[5]');
         $this->form_validation->set_rules('password_repeat', lang('users input password_repeat'), 'required|trim|matches[password]');
@@ -149,6 +163,7 @@ function register()
             else
             {
                 $this->session->set_flashdata('error', lang('users error register_failed'));
+                redirect($_SERVER['REQUEST_URI'], 'refresh');
             }
 
             // redirect home and display message
@@ -199,13 +214,13 @@ function validate()
 
 
     /**
-	 * Default
+	 * Forgot password
      */
 	function forgot()
 	{
         // validators
         $this->form_validation->set_error_delimiters($this->config->item('error_delimeter_left'), $this->config->item('error_delimeter_right'));
-        $this->form_validation->set_rules('email', lang('users input email'), 'required|trim|valid_email|callback__check_email_exists');
+        $this->form_validation->set_rules('email', lang('users input email'), 'required|trim|max_length[256]|valid_email|callback__check_email_exists');
 
         if ($this->form_validation->run() == TRUE)
         {

diff --git a/application/language/dutch/users_lang.php b/application/language/dutch/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Nieuwe gebruiker toevoegen";
 $lang['users button register']                = "Account aanmaken";
 $lang['users button reset_password']          = "Reset wachtwoord";
+$lang['users button login_try_again']         = "Probeer het nog eens";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Maak een nieuwe gebruiker.";
@@ -81,3 +82,5 @@
 $lang['users error user_not_exist']           = "Die gebruiker bestaat niet!";
 $lang['users error username_exists']          = "De gebruikersnaam <strong>%s</strong> bestaat al!";
 $lang['users error validate_failed']          = "Er was een probleem voor het valideren van uw account. Probeer het opnieuw.";
+$lang['users error too_many_login_attempts']  = "Je hebt te vaak geprobeerd om in te loggen te snel gemaakt. Gelieve wacht %s seconden en probeer het opnieuw.";
+
diff --git a/application/language/english/users_lang.php b/application/language/english/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Add New User";
 $lang['users button register']                = "Create Account";
 $lang['users button reset_password']          = "Reset Password";
+$lang['users button login_try_again']         = "Try Again";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Create a brand new user.";
@@ -81,3 +82,4 @@
 $lang['users error user_not_exist']           = "That user does not exist!";
 $lang['users error username_exists']          = "The username <strong>%s</strong> already exists!";
 $lang['users error validate_failed']          = "There was a problem validating your account. Please try again.";
+$lang['users error too_many_login_attempts']  = "You've made too many attempts to log in too quickly. Please wait %s seconds and try again.";
diff --git a/application/language/indonesian/users_lang.php b/application/language/indonesian/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Tambah User Baru";
 $lang['users button register']                = "Buat Akun";
 $lang['users button reset_password']          = "Reset Password";
+$lang['users button login_try_again']         = "Coba lagi";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Buat user baru.";
@@ -78,3 +79,4 @@
 $lang['users error user_not_exist']           = "User tersebut tidak ada!";
 $lang['users error username_exists']          = "Username <strong>%s</strong> sudah ada!";
 $lang['users error validate_failed']          = "Terdapat masalah dalam upaya validasi akun anda. Silakan coba lagi.";
+$lang['users error too_many_login_attempts']  = "Anda sudah membuat terlalu banyak upaya untuk log in terlalu cepat. Silahkan tunggu %s detik dan coba lagi.";
diff --git a/application/language/russian/users_lang.php b/application/language/russian/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Добавить нового пользователя";
 $lang['users button register']                = "Создать аккаунт";
 $lang['users button reset_password']          = "Сбросить пароль";
+$lang['users button login_try_again']         = "Попробуй еще раз";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Создать нового пользователя.";
@@ -80,3 +81,4 @@
 $lang['users error user_not_exist']           = "Такого пользователя не существует!";
 $lang['users error username_exists']          = "Имя пользователя <strong>%s</strong> уже существует!";
 $lang['users error validate_failed']          = "Возникла проблема при проверке аккаунта. Попробуйте снова.";
+$lang['users error too_many_login_attempts']  = "Вы сделали слишком много попыток входа в систему слишком быстро. Пожалуйста, подождите %s секунд и повторите попытку.";
diff --git a/application/language/simplified-chinese/users_lang.php b/application/language/simplified-chinese/users_lang.php
@@ -19,6 +19,7 @@
 $lang['users button add_new_user']            = "添加新用户";
 $lang['users button register']                = "创建新账号";
 $lang['users button reset_password']          = "重置密码";
+$lang['users button login_try_again']         = "再试一次";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "创建一个全新的用户。";
@@ -78,3 +79,4 @@
 $lang['users error user_not_exist']           = "该用户不存在!";
 $lang['users error username_exists']          = "用户名 <strong>%s</strong> 已经存在!";
 $lang['users error validate_failed']          = "用户激活失败!请重试.";
+$lang['users error too_many_login_attempts']  = "你做了太多的登录尝试太. 请等待%s秒，然后重试.";
diff --git a/application/language/spanish/users_lang.php b/application/language/spanish/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Añadir usuario nuevo";
 $lang['users button register']                = "Crear cuenta";
 $lang['users button reset_password']          = "Restablecer la contraseña";
+$lang['users button login_try_again']         = "Inténtalo de nuevo";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Crear un nuevo usuario.";
@@ -76,3 +77,4 @@
 $lang['users error user_not_exist']           = "Ese usuario no existe!";
 $lang['users error username_exists']          = "El usuario <strong>%s</strong> ya existe!";
 $lang['users error validate_failed']          = "Hubo un problema al validar su cuenta. Por favor, vuelva a intentarlo.";
+$lang['users error too_many_login_attempts']  = "Usted ha hecho demasiados intentos para iniciar sesión con demasiada rapidez. Por favor, espere %s segundos y vuelva a intentarlo.";
diff --git a/application/language/turkish/users_lang.php b/application/language/turkish/users_lang.php
@@ -17,6 +17,7 @@
 $lang['users button add_new_user']            = "Yeni Kullanıcı Ekle";
 $lang['users button register']                = "Hesap oluşturma";
 $lang['users button reset_password']          = "Parola sıfırlama";
+$lang['users button login_try_again']         = "Tekrar dene";
 
 // Tooltips
 $lang['users tooltip add_new_user']           = "Yeni bir kullanıcı oluşturun.";
@@ -80,3 +81,4 @@
 $lang['users error user_not_exist']           = "Bu kullanıcı yok!";
 $lang['users error username_exists']          = "Kullanıcı adı <strong>%s</strong> zaten!";
 $lang['users error validate_failed']          = "Hesabınızı doğrulanırken bir hata oluştu. Lütfen yeniden deneyin.";
+$lang['users error too_many_login_attempts']  = "Çok hızlı giriş için çok fazla deneme yaptık. %s saniye bekleyin ve tekrar deneyin.";