New unsafe autologin mode

https://github.com/marienfressinaud/FreshRSS/issues/440

3 files changed, 43 insertions, 0 deletions

diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php
index c83c5b630..0905e591a 100755
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -352,6 +352,32 @@ class FreshRSS_index_Controller extends Minz_ActionController {
 			}
 			$this->view->_useLayout(false);
 			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
+		} elseif (Minz_Configuration::unsafeAutologinEnabled() && isset($_GET['u']) && isset($_GET['p'])) {
+			Minz_Session::_param('currentUser');
+			Minz_Session::_param('mail');
+			Minz_Session::_param('passwordHash');
+			$username = ctype_alnum($_GET['u']) ? $_GET['u'] : '';
+			$passwordPlain = $_GET['p'];
+			Minz_Request::_param('p');	//Discard plain-text password ASAP
+			$_GET['p'] = '';
+			if (!function_exists('password_verify')) {
+				include_once(LIB_PATH . '/password_compat.php');
+			}
+			try {
+				$conf = new FreshRSS_Configuration($username);
+				$s = $conf->passwordHash;
+				$ok = password_verify($passwordPlain, $s);
+				unset($passwordPlain);
+				if ($ok) {
+					Minz_Session::_param('currentUser', $username);
+					Minz_Session::_param('passwordHash', $s);
+				} else {
+					Minz_Log::record('Unsafe password mismatch for user ' . $username, Minz_Log::WARNING);
+				}
+			} catch (Minz_Exception $me) {
+				Minz_Log::record('Unsafe login failure: ' . $me->getMessage(), Minz_Log::WARNING);
+			}
+			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
 		} elseif (!Minz_Configuration::canLogIn()) {
 			Minz_Error::error (
 				403,
diff --git a/lib/Minz/Configuration.php b/lib/Minz/Configuration.php
index ff71d747c..324aae881 100644
--- a/lib/Minz/Configuration.php
+++ b/lib/Minz/Configuration.php
@@ -55,6 +55,7 @@ class Minz_Configuration {
 	private static $allow_anonymous_refresh = false;
 	private static $auth_type = 'none';
 	private static $api_enabled = false;
+	private static $unsafe_autologin_enabled = false;
 
 	private static $db = array (
 		'type' => 'mysql',
@@ -135,6 +136,9 @@ class Minz_Configuration {
 	public static function apiEnabled() {
 		return self::$api_enabled;
 	}
+	public static function unsafeAutologinEnabled() {
+		return self::$unsafe_autologin_enabled;
+	}
 
 	public static function _allowAnonymous($allow = false) {
 		self::$allow_anonymous = ((bool)$allow) && self::canLogIn();
@@ -158,6 +162,9 @@ class Minz_Configuration {
 	public static function _enableApi($value = false) {
 		self::$api_enabled = (bool)$value;
 	}
+	public static function _enableAutologin($value = false) {
+		self::$unsafe_autologin_enabled = (bool)$value;
+	}
 
 	/**
 	 * Initialise les variables de configuration
@@ -188,6 +195,7 @@ class Minz_Configuration {
 				'allow_anonymous_refresh' => self::$allow_anonymous_refresh,
 				'auth_type' => self::$auth_type,
 				'api_enabled' => self::$api_enabled,
+				'unsafe_autologin_enabled' => self::$unsafe_autologin_enabled,
 			),
 			'db' => self::$db,
 		);
@@ -310,6 +318,12 @@ class Minz_Configuration {
 				($general['api_enabled'] !== 'no')
 			);
 		}
+		if (isset ($general['unsafe_autologin_enabled'])) {
+			self::$unsafe_autologin_enabled = (
+				((bool)($general['unsafe_autologin_enabled'])) &&
+				($general['unsafe_autologin_enabled'] !== 'no')
+			);
+		}
 
 		// Base de données
 		if (isset ($ini_array['db'])) {
diff --git a/p/i/install.php b/p/i/install.php
index 720813323..a7563d5ee 100644
--- a/p/i/install.php
+++ b/p/i/install.php
@@ -235,6 +235,9 @@ function saveStep3 () {
 				'default_user' => $_SESSION['default_user'],
 				'auth_type' => $_SESSION['auth_type'],
 				'allow_anonymous' => isset($_SESSION['allow_anonymous']) ? $_SESSION['allow_anonymous'] : false,
+				'allow_anonymous_refresh' => false,
+				'unsafe_autologin_enabled' => false,
+				'api_enabled' => false,
 			),
 			'db' => array(
 				'type' => $_SESSION['bd_type'],