diff options
| author | Chris Smith <toonarmy@phpbb.com> | 2009-07-17 13:21:03 +0000 |
|---|---|---|
| committer | Chris Smith <toonarmy@phpbb.com> | 2009-07-17 13:21:03 +0000 |
| commit | 5f6db9584c4b2594c437a07c0ecd60390ff39d5e (patch) | |
| tree | 1842e3871c4698ed7c2240b06af4266dd209a2a8 | |
| parent | ab9715a9fe5577921180a6f77b5a89b990665b6e (diff) | |
| download | forums-5f6db9584c4b2594c437a07c0ecd60390ff39d5e.tar forums-5f6db9584c4b2594c437a07c0ecd60390ff39d5e.tar.gz forums-5f6db9584c4b2594c437a07c0ecd60390ff39d5e.tar.bz2 forums-5f6db9584c4b2594c437a07c0ecd60390ff39d5e.tar.xz forums-5f6db9584c4b2594c437a07c0ecd60390ff39d5e.zip | |
Correct escaping/unescaping in the LDAP authentication plugin. #48175
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9769 89ea8834-ac86-4346-8a33-228a782c2dd0
| -rw-r--r-- | phpBB/config.php | 17 | ||||
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 18 |
3 files changed, 29 insertions, 7 deletions
diff --git a/phpBB/config.php b/phpBB/config.php index e69de29bb2..fcfbc98bc2 100644 --- a/phpBB/config.php +++ b/phpBB/config.php @@ -0,0 +1,17 @@ +<?php +// phpBB 3.0.x auto-generated configuration file +// Do not change anything in this file! +$dbms = 'mysqli'; +$dbhost = ''; +$dbport = ''; +$dbname = 'phpbb'; +$dbuser = 'root'; +$dbpasswd = 'testing'; +$table_prefix = 'phpbb_'; +$acm_type = 'file'; +$load_extensions = ''; + +@define('PHPBB_INSTALLED', true); +@define('DEBUG', true); +@define('DEBUG_EXTRA', true); +?> diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 15ec8cb4fc..9fc30afeed 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -158,6 +158,7 @@ <li>[Fix] Fix "Always show a scrollbar for short pages" for IE8 and Firefox 3.5 (Bug #47865 - Patch by stokerpiller)</li> <li>[Fix] Do not allow setting group as default group for pending user (Bug #45675 - Patch by nickvergessen)</li> <li>[Fix] Fail gracefully if store folder is not writable during update. (Bugs #46615, #46945)</li> + <li>[Fix] Correct escaping/unescaping in the LDAP authentication plugin. (Bug #48175)</li> <li>[Change] Change the data format of the default file ACM to be more secure from tampering and have better performance.</li> <li>[Change] Add index on log_time to the log table to prevent slowdown on boards with many log entries. (Bug #44665 - Patch by bantu)</li> <li>[Change] Template engine now permits to a limited extent variable includes.</li> diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 11c62ad0bc..b70e644b14 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -63,9 +63,11 @@ function init_ldap() // ldap_connect only checks whether the specified server is valid, so the connection might still fail $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($user->data['username']), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -85,7 +87,7 @@ function init_ldap() return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); } - if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) + if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) { return $user->lang['LDAP_NO_EMAIL']; } @@ -152,7 +154,7 @@ function login_ldap(&$username, &$password) if ($config['ldap_user'] || $config['ldap_password']) { - if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password']))) + if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) { return $user->lang['LDAP_NO_SERVER_CONNECTION']; } @@ -160,9 +162,11 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($username), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -223,7 +227,7 @@ function login_ldap(&$username, &$password) $ldap_user_row = array( 'username' => $username, 'user_password' => phpbb_hash($password), - 'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '', + 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, |