tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-21 17:08:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed LDAP login problem when special characters like quotes were used in passwords.

Browse Source
This commit is contained in:
Andre Lorbach 2013-10-08 16:46:12 +02:00
parent fc4511f389
commit f9f3df346c
3 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,12 +1,13 @@
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Version 3.6.5 (stable), 2013-10-08 Version 3.6.5 (stable), 2013-10-08
- LogStreamDB Driver: Added backticks arround tablenames - LogStreamDB Driver, LogStreamPDO Driver, UserDB:
in all SQL Statements. Added backticks arround tablenames in all SQL Statements.
- LogStreamPDO Driver: Added backticks arround tablenames This fixes http://bugzilla.adiscon.com/show_bug.cgi?id=479
in all SQL Statements
- LogStreamPDO Driver: Fixed hardcoded tablename in trigger - LogStreamPDO Driver: Fixed hardcoded tablename in trigger
create statement create statement
- UserDB: Added backticks arround tablenames in all SQL Statements - Fixed LDAP login problem when special characters like quotes were
used in passwords.
This fixes http://bugzilla.adiscon.com/show_bug.cgi?id=480
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Version 3.6.4 (stable), 2013-08-16 Version 3.6.4 (stable), 2013-08-16
- Added MYSQL hint in install script when enabling User Database System. - Added MYSQL hint in install script when enabling User Database System.

15
src/include/functions_users.php
View File

@ -137,7 +137,8 @@ function InitUserSession()
function CreateUserName( $username, $password, $is_admin ) function CreateUserName( $username, $password, $is_admin )
{ {
$md5pass = md5($password); /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
$md5pass = md5(DB_RemoveBadChars($password));
$result = DB_Query("SELECT username FROM `" . DB_USERS . "` WHERE username = '" . $username . "'"); $result = DB_Query("SELECT username FROM `" . DB_USERS . "` WHERE username = '" . $username . "'");
$rows = DB_GetAllRows($result, true); $rows = DB_GetAllRows($result, true);
@ -172,10 +173,11 @@ function CheckUserLogin( $username, $password )
else // Normal MYSQL Login! else // Normal MYSQL Login!
{ {
// TODO: SessionTime and AccessLevel check // TODO: SessionTime and AccessLevel check
$md5pass = md5($password); $md5pass = md5(DB_RemoveBadChars($password)); /* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
$sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "' and password = '" . $md5pass . "'"; $sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "' and password = '" . $md5pass . "'";
$result = DB_Query($sqlquery); $result = DB_Query($sqlquery);
$myrow = DB_GetSingleRow($result, true); $myrow = DB_GetSingleRow($result, true);
echo $sqlquery;
} }
// The admin field must be set! // The admin field must be set!
@ -279,7 +281,7 @@ function CheckUserLogin( $username, $password )
} }
*/ */
if ( GetConfigSetting("DebugUserLogin", 0) == 1 ) if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre><br><B>SQL Statement</B>: " . $sqlselect ); DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . $username . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre>");
// Default return false // Default return false
return false; return false;
@ -384,6 +386,9 @@ function CheckLDAPUserLogin( $username, $password )
// for the moment when a user logs in from LDAP, create it in the DB. // for the moment when a user logs in from LDAP, create it in the DB.
// then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code… // then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code…
/* DB_RemoveBadChars() needs to be done here to maintain backwards compatibility even if it is not needed here*/
$md5pass = md5(DB_RemoveBadChars($password));
// check if the user already exist // check if the user already exist
$sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "'"; $sqlquery = "SELECT * FROM `" . DB_USERS . "` WHERE username = '" . $username . "'";
$result = DB_Query($sqlquery); $result = DB_Query($sqlquery);
@ -391,7 +396,7 @@ function CheckLDAPUserLogin( $username, $password )
if (!isset($myrow['is_admin']) ) if (!isset($myrow['is_admin']) )
{ {
// Create User | use password to create MD5 Hash, so technically the user could login without LDAP as well // Create User | use password to create MD5 Hash, so technically the user could login without LDAP as well
$sqlcmd = "INSERT INTO `" . DB_USERS . "` (username, password, is_admin, is_readonly) VALUES ('" . $username . "', '" . md5($password) . "', 0, 1)"; $sqlcmd = "INSERT INTO `" . DB_USERS . "` (username, password, is_admin, is_readonly) VALUES ('" . $username . "', '" . $md5pass . "', 0, 1)";
$result = DB_Query($sqlcmd); $result = DB_Query($sqlcmd);
DB_FreeQuery($result); DB_FreeQuery($result);
@ -402,7 +407,7 @@ function CheckLDAPUserLogin( $username, $password )
// Construct Row and return // Construct Row and return
$myrowfinal['username'] = $username; $myrowfinal['username'] = $username;
$myrowfinal['password'] = md5($password); $myrowfinal['password'] = $md5pass;
$myrowfinal['dn'] = $info[0]['dn']; $myrowfinal['dn'] = $info[0]['dn'];
if ( isset($myrow['ID']) ) if ( isset($myrow['ID']) )
$myrowfinal['ID'] = $myrow['ID']; // Get from SELECT $myrowfinal['ID'] = $myrow['ID']; // Get from SELECT

2
src/login.php
View File

@ -77,7 +77,7 @@ if ( isset($_POST['op']) && $_POST['op'] == "login" )
{ {
// Set Username and password // Set Username and password
$content['uname'] = DB_RemoveBadChars($_POST['uname']); $content['uname'] = DB_RemoveBadChars($_POST['uname']);
$content['pass'] = DB_RemoveBadChars($_POST['pass']); $content['pass'] = $_POST['pass']; // RAW Copy of password string, otherwise passwords with special characters can be broken.
if ( !CheckUserLogin( $content['uname'], $content['pass']) ) if ( !CheckUserLogin( $content['uname'], $content['pass']) )
{ {