WordPress.org
Get WordPress

Plugin Directory

Changeset 834053


Ignore:
Timestamp:
01/06/2014 07:14:12 PM (12 years ago)
Author:
Henrik.Schack
Message:

Warn user before using Google Chart API to display QRCode.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • google-authenticator/trunk/google-authenticator.php

    r833004 r834053  
    118118        $value = $value % 1000000;
    119119        if ( $value === $thistry ) {
    120             // Check for replay (Man-in-the-middle) attack
     120            // Check for replay (Man-in-the-middle) attack.
     121            // Since this is not Star Trek, time can only move forward,
     122            // meaning current login attempt has to be in the future compared to
     123            // last successful login.
    121124            if ( $lasttimeslot >= ($tm+$i) ) {
    122125                return false;
     
    197200        $lasttimeslot = trim( get_user_option( 'googleauthenticator_lasttimeslot', $user->ID ) );
    198201        // Valid code ?
    199         if ( $timeslot=$this->verify( $GA_secret, $otp, $GA_relaxedmode, $lasttimeslot ) ) {
     202        if ( $timeslot = $this->verify( $GA_secret, $otp, $GA_relaxedmode, $lasttimeslot ) ) {
    200203            // Store the timeslot in which login was successful.
    201204            update_user_option( $user->ID, 'googleauthenticator_lasttimeslot', $timeslot, true );
     
    271274    echo "</tr>\n";
    272275
    273     // Create URL for the Google charts QR code generator.
    274     $chl = rawurlencode( 'otpauth://totp/'.rawurlencode( $GA_description ).'?secret='.rawurlencode( $GA_secret ) );
    275     $qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&amp;chs=300x300&amp;chld=H|0&amp;chl={$chl}";
    276 
    277276    if ( $is_profile_page || IS_PROFILE_PAGE ) {
    278277        echo "<tr>\n";
     
    293292        echo "<input name=\"GA_secret\" id=\"GA_secret\" value=\"{$GA_secret}\" readonly=\"readonly\"  type=\"text\" size=\"25\" />";
    294293        echo "<input name=\"GA_newsecret\" id=\"GA_newsecret\" value=\"".__("Create new secret",'google-authenticator')."\"   type=\"button\" class=\"button\" />";
    295         echo "<input name=\"show_qr\" id=\"show_qr\" value=\"".__("Show/Hide QR code",'google-authenticator')."\"   type=\"button\" class=\"button\" onclick=\"jQuery('#GA_QR_INFO').toggle('slow');\" />";
     294        echo "<input name=\"show_qr\" id=\"show_qr\" value=\"".__("Show/Hide QR code",'google-authenticator')."\"   type=\"button\" class=\"button\" onclick=\"ShowQRCodeAfterWarning();\" />";
    296295        echo "</td>\n";
    297296        echo "</tr>\n";
     
    300299        echo "<th></th>\n";
    301300        echo "<td><div id=\"GA_QR_INFO\" style=\"display: none\" >";
    302         echo "<img id=\"GA_QRCODE\"  src=\"{$qrcodeurl}\" alt=\"QR Code\"/>";
     301        echo "<img id=\"GA_QRCODE\"  src=\"\" alt=\"QR Code\"/>";
     302
    303303        echo '<span class="description"><br/> ' . __( 'Scan this with the Google Authenticator app.', 'google-authenticator' ) . '</span>';
    304304        echo "</div></td>\n";
     
    326326    echo "<script type=\"text/javascript\">\n";
    327327    echo "var GAnonce='".wp_create_nonce('GoogleAuthenticatoraction')."';\n";
     328
     329    echo "var qrcodewarningtext = '";
     330    echo __( "WARNING:\\n\\nShowing the QR code will use the Google Chart API to do so.\\nIf you do not trust Google, please press Cancel and enter the code manually.",'google-authenticator' );
     331    echo "';\n";
     332
    328333    echo <<<ENDOFJS
    329334    var pwdata;
     
    340345        });     
    341346    });
    342      
     347
    343348    jQuery('#GA_description').bind('focus blur change keyup', function() {
    344         chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
    345         qrcodeurl="https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl="+chl;
    346         jQuery('#GA_QRCODE').attr('src',qrcodeurl);
     349        // Only update QRCode if it's already visible
     350        if (jQuery('#GA_QR_INFO').is(':visible')) {
     351            chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
     352            qrcodeurl="https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl="+chl;
     353            jQuery('#GA_QRCODE').attr('src',qrcodeurl);
     354        }
    347355    });
    348    
     356
    349357    jQuery('#GA_createpassword').bind('click',function() {
    350358        var data=new Object();
     
    376384            jQuery('#GA_createpassword').attr('disabled', true);
    377385        }
    378     }       
     386    }
     387
     388    function ShowQRCodeAfterWarning() {
     389        if (jQuery('#GA_QR_INFO').is(':hidden')) {
     390            if ( confirm(qrcodewarningtext) ) {
     391                chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
     392                qrcodeurl="https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl="+chl;
     393                jQuery('#GA_QRCODE').attr('src',qrcodeurl);
     394                jQuery('#GA_QR_INFO').show('slow');
     395            }
     396        } else {
     397            jQuery('#GA_QR_INFO').hide('slow');
     398        }
     399    }
    379400</script>
    380401ENDOFJS;
    381        
    382402}
    383403
Note: See TracChangeset for help on using the changeset viewer.