aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/includes/auth
diff options
context:
space:
mode:
Diffstat (limited to 'phpBB/includes/auth')
-rw-r--r--phpBB/includes/auth/auth_apache.php29
-rw-r--r--phpBB/includes/auth/auth_db.php22
-rw-r--r--phpBB/includes/auth/auth_ldap.php2
3 files changed, 30 insertions, 23 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php
index 391e7abb0e..9089703035 100644
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@@ -28,9 +28,9 @@ if (!defined('IN_PHPBB'))
*/
function init_apache()
{
- global $user;
+ global $user, $request;
- if (!isset($_SERVER['PHP_AUTH_USER']) || $user->data['username'] !== $_SERVER['PHP_AUTH_USER'])
+ if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER')))
{
return $user->lang['APACHE_SETUP_BEFORE_USE'];
}
@@ -42,7 +42,7 @@ function init_apache()
*/
function login_apache(&$username, &$password)
{
- global $db;
+ global $db, $request;
// do not allow empty password
if (!$password)
@@ -63,7 +63,7 @@ function login_apache(&$username, &$password)
);
}
- if (!isset($_SERVER['PHP_AUTH_USER']))
+ if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
{
return array(
'status' => LOGIN_ERROR_EXTERNAL_AUTH,
@@ -72,8 +72,8 @@ function login_apache(&$username, &$password)
);
}
- $php_auth_user = $_SERVER['PHP_AUTH_USER'];
- $php_auth_pw = $_SERVER['PHP_AUTH_PW'];
+ $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
+ $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
if (!empty($php_auth_user) && !empty($php_auth_pw))
{
@@ -136,15 +136,15 @@ function login_apache(&$username, &$password)
*/
function autologin_apache()
{
- global $db;
+ global $db, $request;
- if (!isset($_SERVER['PHP_AUTH_USER']))
+ if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
{
return array();
}
- $php_auth_user = $_SERVER['PHP_AUTH_USER'];
- $php_auth_pw = $_SERVER['PHP_AUTH_PW'];
+ $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER'));
+ $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW'));
if (!empty($php_auth_user) && !empty($php_auth_pw))
{
@@ -228,11 +228,12 @@ function user_row_apache($username, $password)
*/
function validate_session_apache(&$user)
{
+ global $request;
+
// Check if PHP_AUTH_USER is set and handle this case
- if (isset($_SERVER['PHP_AUTH_USER']))
+ if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER))
{
- $php_auth_user = '';
- set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true);
+ $php_auth_user = $request->server('PHP_AUTH_USER');
return ($php_auth_user === $user['username']) ? true : false;
}
@@ -245,5 +246,3 @@ function validate_session_apache(&$user)
return false;
}
-
-?> \ No newline at end of file
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php
index 6ca69d9174..a2ff9b4047 100644
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@@ -40,6 +40,7 @@ if (!defined('IN_PHPBB'))
function login_db($username, $password, $ip = '', $browser = '', $forwarded_for = '')
{
global $db, $config;
+ global $request;
// do not allow empty password
if (!$password)
@@ -122,13 +123,13 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
if ($show_captcha)
{
// Visual Confirmation handling
- if (!class_exists('phpbb_captcha_factory'))
+ if (!class_exists('phpbb_captcha_factory', false))
{
global $phpbb_root_path, $phpEx;
include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
}
- $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
+ $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']);
$captcha->init(CONFIRM_LOGIN);
$vc_response = $captcha->validate($row);
if ($vc_response)
@@ -149,12 +150,23 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
// If the password convert flag is set we need to convert it
if ($row['user_pass_convert'])
{
+ // enable super globals to get literal value
+ // this is needed to prevent unicode normalization
+ $super_globals_disabled = $request->super_globals_disabled();
+ if ($super_globals_disabled)
+ {
+ $request->enable_super_globals();
+ }
+
// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
- $password_new_format = '';
+ $password_new_format = $request->variable('password', '', true);
- set_var($password_new_format, stripslashes($password_old_format), 'string');
+ if ($super_globals_disabled)
+ {
+ $request->disable_super_globals();
+ }
if ($password == $password_new_format)
{
@@ -263,5 +275,3 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
'user_row' => $row,
);
}
-
-?> \ No newline at end of file
diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php
index 5dfa74ddab..66facd0faa 100644
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@@ -345,5 +345,3 @@ function acp_ldap(&$new)
'config' => array('ldap_server', 'ldap_port', 'ldap_base_dn', 'ldap_uid', 'ldap_user_filter', 'ldap_email', 'ldap_user', 'ldap_password')
);
}
-
-?> \ No newline at end of file
generated by cgit v1.2.1 (git 2.21.0) at 2025-04-09 07:19:02 +0000