1. 26 Nov, 2003 4 commits
  2. 25 Nov, 2003 1 commit
  3. 24 Nov, 2003 2 commits
    • Robert Ricci's avatar
      Add some features to help beginexp act as a backend to other web · a0c2268a
      Robert Ricci authored
      forms. Add a view[] array to hide various parts of the form, and
      a view_style to use a predefined set of view[] options. Also, allow
      formfields to be passed in to provide defaults for a user.
      a0c2268a
    • Robert Ricci's avatar
      Added some new display abilities to menu.php3 . · 6682b5d9
      Robert Ricci authored
      PAGEHEADER() now takes a vew array, which can turn on and off display
      of things like the sidebar and banner.
      
      In the future, some of this information will likely be grabbed from
      the user somehow (new and/or plab users may get a different view than
      others).
      
      Also added the functions to draw a 'topbar' of options that goes
      across the top of the page, rather than down the left side. A simple
      topbar for planetlab nodes is included.
      6682b5d9
  4. 18 Nov, 2003 3 commits
  5. 17 Nov, 2003 2 commits
    • Leigh B. Stoller's avatar
      Merge the two state machines (batchstate and state) into a single · 2025e0bd
      Leigh B. Stoller authored
      state machine (state). All of the stuff that was previously handled by
      using batchstate is now embedded into the one state machine. Of
      course, these mostly overlapped, so its not that much of a change,
      except that we also redid the machine, adding more states (for
      example, modify phases are now explicit. To get a picture of the
      actual state machine, on boss:
      
      		stategraph -o newstates EXPTSTATE
      		gv newstates.ps
      
      Things to note:
      
      * The "batchstate" slot of the experiments table is now used solely to
        provide a lock for batch daemon. A secondary change will be to
        change the slot name to something more appropriate, but it can
        happen anytime after this new stuff is installed.
      
      * I have left expt_locked for now, but another later change will be to remove
        expt_locked, and change it to active_busy or some such new state name in
        the state machine. I have removed most uses of expt_locked, except those
        that were necessary until there is a ...
      2025e0bd
    • Leigh B. Stoller's avatar
      Add web login attack detection/prevention. Two changes: · b1de9fb2
      Leigh B. Stoller authored
      * Add slots to users table to track number of failures in the last N
        seconds. If a threshold is passed (currently 4 failures in the last
        minute), the web login is disabled. Note that I do not disable the
        ops shell login at this time. Aging is passive; the values are cleared
        when login is successful, or when more then one minute has passed
        since the last failure. In other words, a burst of failures will
        disable the login, but failures over time are okay.
      
      * Add login_failures table to do exactly the same as above, except it
        is on an IP basis (REMOTE_ADDR in the server). Currently the
        threshold is 8 failures in the last two minutes, at which time all
        logins from that IP are disabled.
      
      In both cases email is sent to tbops (and the user).
      
      The constants are defined at the top of www/tbauth.in, rather then as
      site variables, to avoid pounding the DB when an attack is being
      launched.
      
      To clear a user freeze, go to the user profile page and use the
      "toggle" near the bottom.
      
      To clear an IP freeze: delete from login_failures were IP='1.1.1.1'
      b1de9fb2
  6. 14 Nov, 2003 2 commits
  7. 12 Nov, 2003 1 commit
  8. 11 Nov, 2003 1 commit
  9. 10 Nov, 2003 4 commits
  10. 09 Nov, 2003 1 commit
    • Leigh B. Stoller's avatar
      More security hacking. · 754d8013
      Leigh B. Stoller authored
      * Add TBvalid_uid() function to regex uid's. To be used throughout the
        system. Eventually add routines for checking other things like pids
        and eids, etc.
      
      * Regex the uid value we get from the cookie, and switch to $_COOKIE
        superglobal.
      
      * Strict regex checking in DOLOGIN() of uid.
      
      * Change login.php to use superglobals, and general tightening of
        parameter checking.
      754d8013
  11. 07 Nov, 2003 6 commits
  12. 06 Nov, 2003 3 commits
  13. 05 Nov, 2003 4 commits
  14. 31 Oct, 2003 1 commit
    • Robert Ricci's avatar
      Put back the content-disposition headers - Windows is totally lost · 9b1e6789
      Robert Ricci authored
      without them. But, use the 'inline' disposition instead of
      'attachment', which seems to allow Mozilla et al to run them w/o
      a dialog box. IE still pops one up, though.
      
      Also, change the extension of the ssh files to tbssh - tbc conflicts
      with other stuff under Windows.
      9b1e6789
  15. 30 Oct, 2003 2 commits
  16. 28 Oct, 2003 3 commits