tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 16:24:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

2014-07-17 Miguel de Dios <miguel.dedios@artica.es>

Browse Source 
* include/auth/ldap.php, include/auth/mysql.php: fixed the
	parameters with white spaces.
	
	INCIDENT: #1063




git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@10342 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
mdtrooper 2014-07-17 16:07:07 +00:00
parent 9b978f6674
commit 50885d86d2
3 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pandora_console/ChangeLog
View File

@ -1,3 +1,10 @@
2014-07-17 Miguel de Dios <miguel.dedios@artica.es>
* include/auth/ldap.php, include/auth/mysql.php: fixed the
parameters with white spaces.
INCIDENT: #1063
2014-07-17 Miguel de Dios <miguel.dedios@artica.es> 2014-07-17 Miguel de Dios <miguel.dedios@artica.es>
* include/functions_groups.php: added parameter to avoid the check * include/functions_groups.php: added parameter to avoid the check

25
pandora_console/include/auth/ldap.php
View File

@ -65,8 +65,11 @@ $config["admin_can_disable_user"] = false; //Not implemented
$config["admin_can_make_admin"] = false; $config["admin_can_make_admin"] = false;
//Required and optional keys for this function to work //Required and optional keys for this function to work
$req_keys = array ("ldap_server", "ldap_base_dn", "ldap_login_attr", "ldap_admin_group_name", "ldap_admin_group_attr", "ldap_admin_group_type", "ldap_user_filter", "ldap_user_attr"); $req_keys = array("ldap_server", "ldap_base_dn", "ldap_login_attr",
$opt_keys = array ("ldap_port", "ldap_start_tls", "ldap_version", "ldap_admin_dn", "ldap_admin_pwd"); "ldap_admin_group_name", "ldap_admin_group_attr",
"ldap_admin_group_type", "ldap_user_filter", "ldap_user_attr");
$opt_keys = array("ldap_port", "ldap_start_tls", "ldap_version",
"ldap_admin_dn", "ldap_admin_pwd");
global $ldap_cache; //Needs to be globalized because config_process_config () function calls this file first and the variable would be local and subsequently lost global $ldap_cache; //Needs to be globalized because config_process_config () function calls this file first and the variable would be local and subsequently lost
$ldap_cache = array (); $ldap_cache = array ();
@ -76,13 +79,15 @@ $ldap_cache["ds"] = "";
//Put each required key in a variable. //Put each required key in a variable.
foreach ($req_keys as $key) { foreach ($req_keys as $key) {
if (!isset ($config["auth"][$key])) { if (!isset ($config["auth"][$key])) {
user_error ("Required key ".$key." not set", E_USER_ERROR); user_error("Required key " . $key . " not set", E_USER_ERROR);
} }
} }
// Convert group name to lower case to prevent problems // Convert group name to lower case to prevent problems
$config["auth"]["ldap_admin_group_attr"] = strtolower ($config["auth"]["ldap_admin_group_attr"]); $config["auth"]["ldap_admin_group_attr"] =
$config["auth"]["ldap_admin_group_type"] = strtolower ($config["auth"]["ldap_admin_group_type"]); strtolower ($config["auth"]["ldap_admin_group_attr"]);
$config["auth"]["ldap_admin_group_type"] =
strtolower ($config["auth"]["ldap_admin_group_type"]);
foreach ($opt_keys as $key) { foreach ($opt_keys as $key) {
if (!isset ($config["auth"][$key])) { if (!isset ($config["auth"][$key])) {
@ -311,7 +316,8 @@ function ldap_search_user ($login) {
$nick = false; $nick = false;
if (ldap_connect_bind ()) { if (ldap_connect_bind ()) {
$sr = @ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], "(&(".$config["auth"]["ldap_login_attr"]."=".$login.")".$config["auth"]["ldap_user_filter"].")", array_values ($config["auth"]["ldap_user_attr"])); $sr = @ldap_search ($ldap_cache["ds"],
io_safe_output($config["auth"]["ldap_base_dn"]), "(&(".io_safe_output($config["auth"]["ldap_login_attr"])."=".$login.")".io_safe_output($config["auth"]["ldap_user_filter"]).")", array_values ($config["auth"]["ldap_user_attr"]));
if (!$sr) { if (!$sr) {
$ldap_cache["error"] .= 'Error searching LDAP server: ' . ldap_error ($ldap_cache["ds"]); $ldap_cache["error"] .= 'Error searching LDAP server: ' . ldap_error ($ldap_cache["ds"]);
@ -364,7 +370,7 @@ function ldap_valid_login ($login, $password) {
return $ret; return $ret;
} }
$r = @ldap_bind ($ds, $config["auth"]["ldap_login_attr"]."=".$login.",".$config["auth"]["ldap_base_dn"], $password); $r = @ldap_bind ($ds, io_safe_output($config["auth"]["ldap_login_attr"])."=".$login.",".io_safe_output($config["auth"]["ldap_base_dn"]), $password);
if (!$r) { if (!$r) {
$ldap_cache["error"] .= 'Invalid login'; $ldap_cache["error"] .= 'Invalid login';
} }
@ -393,7 +399,8 @@ function ldap_load_user ($login) {
$time = get_system_time (); $time = get_system_time ();
if (ldap_connect_bind ()) { if (ldap_connect_bind ()) {
$sr = ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], "(&(".$config["auth"]["ldap_login_attr"]."=".$login.")".$config["auth"]["ldap_user_filter"].")", array_values ($config["auth"]["ldap_user_attr"])); $sr = ldap_search ($ldap_cache["ds"],
io_safe_output($config["auth"]["ldap_base_dn"]), "(&(".io_safe_output($config["auth"]["ldap_login_attr"])."=".$login.")".io_safe_output($config["auth"]["ldap_user_filter"]).")", array_values ($config["auth"]["ldap_user_attr"]));
if (!$sr) { if (!$sr) {
$ldap_cache["error"] .= 'Error searching LDAP server (load_user): ' . ldap_error( $ldap_cache["ds"] ); $ldap_cache["error"] .= 'Error searching LDAP server (load_user): ' . ldap_error( $ldap_cache["ds"] );
@ -497,7 +504,7 @@ function get_users ($order = false) {
$time = get_system_time (); $time = get_system_time ();
if (ldap_connect_bind ()) { if (ldap_connect_bind ()) {
$sr = @ldap_search ($ldap_cache["ds"], $config["auth"]["ldap_base_dn"], $config["auth"]["ldap_user_filter"], array_values ($config["auth"]["ldap_user_attr"])); $sr = @ldap_search ($ldap_cache["ds"], io_safe_output($config["auth"]["ldap_base_dn"]), io_safe_output($config["auth"]["ldap_user_filter"]), array_values ($config["auth"]["ldap_user_attr"]));
if (!$sr) { if (!$sr) {
$ldap_cache["error"] .= 'Error searching LDAP server (get_users): ' . ldap_error( $ldap_cache["ds"] ); $ldap_cache["error"] .= 'Error searching LDAP server (get_users): ' . ldap_error( $ldap_cache["ds"] );
} }

6
pandora_console/include/auth/mysql.php
View File

@ -512,7 +512,11 @@ function ldap_process_user_login ($login, $password) {
} }
} }
if (strlen($password) == 0 || !@ldap_bind ($ds, $config["ldap_login_attr"]."=".$login.",".$config["ldap_base_dn"], $password)) { if (strlen($password) == 0 ||
!@ldap_bind($ds,
io_safe_output($config["ldap_login_attr"]) . "=" . $login . "," . io_safe_output($config["ldap_base_dn"]),
$password)) {
$config["auth_error"] = 'User not found in database or incorrect password'; $config["auth_error"] = 'User not found in database or incorrect password';
@ldap_close ($ds); @ldap_close ($ds);