Merge pull request #741 from dawnbreak/docu

Add security logger to RedDAV.

boot.php

@@ -51,12 +51,21 @@ define ( 'ZOT_REVISION',            1     );
 
 define ( 'DB_UPDATE_VERSION',       1131  );
 
+/**
+ * Constant with a HTML line break.
+ *
+ * Contains a HTML line break (br) element and a real carriage return with line
+ * feed for the source.
+ * This can be used in HTML and JavaScript where needed a line break.
+ *
+ * @var string
+ */
 define ( 'EOL',                    '<br>' . "\r\n"        );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z'       );
 //define ( 'NULL_DATE',              '0000-00-00 00:00:00'  );
 define ( 'TEMPLATE_BUILD_PATH',    'store/[data]/smarty3' );
 
-define ( 'DIRECTORY_MODE_NORMAL',      0x0000);  // This is technically DIRECTORY_MODE_TERTIARY, but it's the default, hence 0x0000
+define ( 'DIRECTORY_MODE_NORMAL',      0x0000); // This is technically DIRECTORY_MODE_TERTIARY, but it's the default, hence 0x0000
 define ( 'DIRECTORY_MODE_PRIMARY',     0x0001);
 define ( 'DIRECTORY_MODE_SECONDARY',   0x0002);
 define ( 'DIRECTORY_MODE_STANDALONE',  0x0100);

include/RedDAV/RedBasicAuth.php

@@ -118,8 +118,11 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic {
 				}
 			}
 		}
-		logger('password failed for ' . $username);
-		// @TODO add security logger
+
+		$error = 'password failed for ' . $username;
+		logger($error);
+		log_failed_login($error);
+
 		return false;
 	}
 

include/RedDAV/RedBrowser.php

@@ -182,10 +182,10 @@ class RedBrowser extends DAV\Browser\Plugin {
 					}
 				}
 			}
-	
-			$parentHash = "";
+
+			$parentHash = '';
 			$owner = $this->auth->owner_id;
-			$splitPath = split("/", $fullPath);
+			$splitPath = split('/', $fullPath);
 			if (count($splitPath) > 3) {
 				for ($i = 3; $i < count($splitPath); $i++) {
 					$attachName = urldecode($splitPath[$i]);
@@ -233,6 +233,7 @@ class RedBrowser extends DAV\Browser\Plugin {
 		}
 
 		// prepare quota for template
+		$quota = array();
 		$quota['used'] = $used;
 		$quota['limit'] = $limit;
 		$quota['desc'] = $quotaDesc;
@@ -257,7 +258,7 @@ class RedBrowser extends DAV\Browser\Plugin {
 			$this->server->broadcastEvent('onHTMLActionsPanel', array($parent, &$output));
 		}
 		$html .= $output;
-	
+
 		get_app()->page['content'] = $html;
 		load_pdl(get_app());
 		construct_page(get_app());

include/auth.php

@@ -41,6 +41,9 @@ function nuke_session() {
 /**
  * @brief Verify login credentials.
  *
+ * If system <i>authlog</i> is set a log entry will be added for failed login
+ * attempts.
+ *
  * @param string $email
  *  The email address to verify.
  * @param string $pass
@@ -88,14 +91,25 @@ function account_verify_password($email, $pass) {
 	if($record['account_flags'] & ACCOUNT_PENDING)
 		logger('Account is pending. account_flags = ' . $record['account_flags']);
 
-	// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
-	$authlog = get_config('system', 'authlog');
-	if ($authlog)
-		@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
+	log_failed_login($error);
 
 	return null;
 }
 
+/**
+ * @brief Log failed logins to a separate auth log.
+ *
+ * Can be used to reduce overhead for server side intrusion prevention, like
+ * parse the authlog file with something like fail2ban, OSSEC, etc.
+ *
+ * @param string $errormsg
+ *  Error message to display for failed login.
+ */
+function log_failed_login($errormsg) {
+	$authlog = get_config('system', 'authlog');
+	if ($authlog)
+		@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $errormsg . PHP_EOL, FILE_APPEND);
+}
 
 /**
  * Inline - not a function