diff options
| author | Nils Adermann <naderman@naderman.de> | 2006-08-12 01:58:58 +0000 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2006-08-12 01:58:58 +0000 |
| commit | b1ef984526f462a2c2132ab34a039490bceeb836 (patch) | |
| tree | 53ee825ff6a23fff4cfc5eede0fafc010c017089 /phpBB/includes/auth | |
| parent | b5a6291fa5a3c57eeb6a5cbe0411bde2a239402d (diff) | |
| download | forums-b1ef984526f462a2c2132ab34a039490bceeb836.tar forums-b1ef984526f462a2c2132ab34a039490bceeb836.tar.gz forums-b1ef984526f462a2c2132ab34a039490bceeb836.tar.bz2 forums-b1ef984526f462a2c2132ab34a039490bceeb836.tar.xz forums-b1ef984526f462a2c2132ab34a039490bceeb836.zip | |
- auto sync attachment topic flag [Bug #2949]
- corrected paths for templates stored in the db and filenames displayed in the template editor [Bug #3662]
- removed some useless language strings [Bug #3648]
- corrected escaping of usernames and passwords in auth modules [Bug #3696], added ldap_escape
git-svn-id: file:///svn/phpbb/trunk@6266 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes/auth')
| -rw-r--r-- | phpBB/includes/auth/auth_apache.php | 13 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 25 |
2 files changed, 29 insertions, 9 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 8556fb5707..3ee0f1347f 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -121,6 +121,9 @@ function autologin_apache() if (!empty($php_auth_user) && !empty($php_auth_pw)) { + set_var($php_auth_user, $php_auth_user, 'string'); + set_var($php_auth_pw, $php_auth_pw, 'string'); + $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; @@ -190,7 +193,15 @@ function user_row_apache($username, $password) */ function validate_session_apache(&$user) { - return (isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] === $user['username'])) ? true : false; + if (!isset($_SERVER['PHP_AUTH_USER'])) + { + return false; + } + + $php_auth_user = ''; + set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string'); + + return ($php_auth_user === $user['username']) ? true : false; } ?>
\ No newline at end of file diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 25c90aeeeb..889f6d8661 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -38,7 +38,7 @@ function init_ldap() $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . $user->data['username'] . ')', + '(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($user->data['username'])) . ')', (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -53,17 +53,18 @@ function init_ldap() @ldap_close($ldap); - if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) + + if (!is_array($result) || sizeof($result) < 2) { - return $user->lang['LDAP_NO_EMAIL']; + return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); } - if (is_array($result) && sizeof($result) > 1) + if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) { - return false; + return $user->lang['LDAP_NO_EMAIL']; } - return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); + return false; } /** @@ -97,7 +98,7 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . $username . ')', + '(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($username)) . ')', (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -107,7 +108,7 @@ function login_ldap(&$username, &$password) if (is_array($ldap_result) && sizeof($ldap_result) > 1) { - if (@ldap_bind($ldap, $ldap_result[0]['dn'], $password)) + if (@ldap_bind($ldap, $ldap_result[0]['dn'], html_entity_decode($password))) { @ldap_close($ldap); @@ -199,6 +200,14 @@ function login_ldap(&$username, &$password) } /** +* Escapes an LDAP AttributeValue +*/ +function ldap_escape($string) +{ + return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); +} + +/** * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. */ |