diff options
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/acp/acp_styles.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_apache.php | 13 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 25 | ||||
| -rw-r--r-- | phpBB/includes/functions_admin.php | 1 |
4 files changed, 31 insertions, 10 deletions
diff --git a/phpBB/includes/acp/acp_styles.php b/phpBB/includes/acp/acp_styles.php index 00789fceec..f5bb241e57 100644 --- a/phpBB/includes/acp/acp_styles.php +++ b/phpBB/includes/acp/acp_styles.php @@ -2355,7 +2355,7 @@ pagination_sep = \'{PAGINATION_SEP}\' // heck of a lot of data ... $sql_ary = array( 'template_id' => $style_id, - 'template_filename' => "$template_path$pathfile$file", + 'template_filename' => "$pathfile$file", 'template_included' => (isset($includes[$file])) ? implode(':', $includes[$file]) . ':' : '', 'template_mtime' => filemtime("{$phpbb_root_path}styles/$template_path$pathfile$file"), 'template_data' => file_get_contents("{$phpbb_root_path}styles/$template_path$pathfile$file"), diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 8556fb5707..3ee0f1347f 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -121,6 +121,9 @@ function autologin_apache() if (!empty($php_auth_user) && !empty($php_auth_pw)) { + set_var($php_auth_user, $php_auth_user, 'string'); + set_var($php_auth_pw, $php_auth_pw, 'string'); + $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; @@ -190,7 +193,15 @@ function user_row_apache($username, $password) */ function validate_session_apache(&$user) { - return (isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] === $user['username'])) ? true : false; + if (!isset($_SERVER['PHP_AUTH_USER'])) + { + return false; + } + + $php_auth_user = ''; + set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string'); + + return ($php_auth_user === $user['username']) ? true : false; } ?>
\ No newline at end of file diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 25c90aeeeb..889f6d8661 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -38,7 +38,7 @@ function init_ldap() $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . $user->data['username'] . ')', + '(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($user->data['username'])) . ')', (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -53,17 +53,18 @@ function init_ldap() @ldap_close($ldap); - if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) + + if (!is_array($result) || sizeof($result) < 2) { - return $user->lang['LDAP_NO_EMAIL']; + return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); } - if (is_array($result) && sizeof($result) > 1) + if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) { - return false; + return $user->lang['LDAP_NO_EMAIL']; } - return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); + return false; } /** @@ -97,7 +98,7 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, $config['ldap_base_dn'], - '(' . $config['ldap_uid'] . '=' . $username . ')', + '(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($username)) . ')', (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), 0, 1 @@ -107,7 +108,7 @@ function login_ldap(&$username, &$password) if (is_array($ldap_result) && sizeof($ldap_result) > 1) { - if (@ldap_bind($ldap, $ldap_result[0]['dn'], $password)) + if (@ldap_bind($ldap, $ldap_result[0]['dn'], html_entity_decode($password))) { @ldap_close($ldap); @@ -199,6 +200,14 @@ function login_ldap(&$username, &$password) } /** +* Escapes an LDAP AttributeValue +*/ +function ldap_escape($string) +{ + return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); +} + +/** * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. */ diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index 176d9b36c1..0eec9a5114 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -465,6 +465,7 @@ function move_posts($post_ids, $topic_id, $auto_sync = true) $forum_ids[] = $forum_row['forum_id']; sync('topic_reported', 'topic_id', $topic_ids); + sync('topic_attachment', 'topic_id', $topic_ids); sync('topic', 'topic_id', $topic_ids, true); sync('forum', 'forum_id', $forum_ids, true); } |