diff --git a/ChangeLog b/ChangeLog
index 78a43f6..b29eaa9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,12 +1,13 @@
---------------------------------------------------------------------------
Version 3.6.5 (stable), 2013-10-08
-- LogStreamDB Driver: Added backticks arround tablenames
- in all SQL Statements.
-- LogStreamPDO Driver: Added backticks arround tablenames
- in all SQL Statements
+- LogStreamDB Driver, LogStreamPDO Driver, UserDB:
+ Added backticks arround tablenames in all SQL Statements.
+ This fixes http://bugzilla.adiscon.com/show_bug.cgi?id=479
- LogStreamPDO Driver: Fixed hardcoded tablename in trigger
create statement
-- UserDB: Added backticks arround tablenames in all SQL Statements
+- Fixed LDAP login problem when special characters like quotes were
+ used in passwords.
+ This fixes http://bugzilla.adiscon.com/show_bug.cgi?id=480
---------------------------------------------------------------------------
Version 3.6.4 (stable), 2013-08-16
- Added MYSQL hint in install script when enabling User Database System.
diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index 41996fa..720f885 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -137,7 +137,8 @@ function InitUserSession()
function CreateUserName( $username, $password, $is_admin )
{
- $md5pass = md5($password);
+ /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
+ $md5pass = md5(DB_RemoveBadChars($password));
$result = DB_Query("SELECT username FROM `" . DB_USERS . "` WHERE username = '" . $username . "'");
$rows = DB_GetAllRows($result, true);
@@ -172,10 +173,11 @@ function CheckUserLogin( $username, $password )
else // Normal MYSQL Login!
{
// TODO: SessionTime and AccessLevel check
- $md5pass = md5($password);
+ $md5pass = md5(DB_RemoveBadChars($password)); /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
$sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "' and password = '" . $md5pass . "'";
$result = DB_Query($sqlquery);
$myrow = DB_GetSingleRow($result, true);
+ echo $sqlquery;
}
// The admin field must be set!
@@ -279,7 +281,7 @@ function CheckUserLogin( $username, $password )
}
*/
if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
- DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "'
Sessionarray " . var_export($_SESSION, true) . "
SQL Statement: " . $sqlselect );
+ DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . $username . "'
Sessionarray " . var_export($_SESSION, true) . "
");
// Default return false
return false;
@@ -383,7 +385,10 @@ function CheckLDAPUserLogin( $username, $password )
// for the moment when a user logs in from LDAP, create it in the DB.
// then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code…
-
+
+ /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
+ $md5pass = md5(DB_RemoveBadChars($password));
+
// check if the user already exist
$sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "'";
$result = DB_Query($sqlquery);
@@ -391,7 +396,7 @@ function CheckLDAPUserLogin( $username, $password )
if (!isset($myrow['is_admin']) )
{
// Create User | use password to create MD5 Hash, so technically the user could login without LDAP as well
- $sqlcmd = "INSERT INTO `" . DB_USERS . "` (username, password, is_admin, is_readonly) VALUES ('" . $username . "', '" . md5($password) . "', 0, 1)";
+ $sqlcmd = "INSERT INTO `" . DB_USERS . "` (username, password, is_admin, is_readonly) VALUES ('" . $username . "', '" . $md5pass . "', 0, 1)";
$result = DB_Query($sqlcmd);
DB_FreeQuery($result);
@@ -402,7 +407,7 @@ function CheckLDAPUserLogin( $username, $password )
// Construct Row and return
$myrowfinal['username'] = $username;
- $myrowfinal['password'] = md5($password);
+ $myrowfinal['password'] = $md5pass;
$myrowfinal['dn'] = $info[0]['dn'];
if ( isset($myrow['ID']) )
$myrowfinal['ID'] = $myrow['ID']; // Get from SELECT
diff --git a/src/login.php b/src/login.php
index 828d852..fbc3a07 100644
--- a/src/login.php
+++ b/src/login.php
@@ -77,7 +77,7 @@ if ( isset($_POST['op']) && $_POST['op'] == "login" )
{
// Set Username and password
$content['uname'] = DB_RemoveBadChars($_POST['uname']);
- $content['pass'] = DB_RemoveBadChars($_POST['pass']);
+ $content['pass'] = $_POST['pass']; // RAW Copy of password string, otherwise passwords with special characters can be broken.
if ( !CheckUserLogin( $content['uname'], $content['pass']) )
{