• R/O
  • HTTP
  • SSH
  • HTTPS

pukiwiki: Commit


Commit MetaInfo

Revision54d4acaf14e03c73cc19a27fee0b1c41edeaeb3b (tree)
Time2016-02-15 06:30:06
Authorumorigu <umorigu@gmai...>
Commiterumorigu

Log Message

BugTrack2/362 Escape LDAP search strings to prevent LDAP injection

LDAP escape function 'ldap_escape' is available only on PHP5.6+.
I implemented pkwk_ldap_escape_dn/filter functions for compatibility.

Change Summary

Incremental Difference

--- a/lib/auth.php
+++ b/lib/auth.php
@@ -128,6 +128,28 @@ function pkwk_hash_compute($phrase = '', $scheme = '{x-php-md5}', $prefix = TRUE
128128 return $hash;
129129 }
130130
131+// LDAP related functions
132+
133+function _pkwk_ldap_escape_callback($matches) {
134+ return sprintf('\\%02x', ord($matches[0]));
135+}
136+
137+function pkwk_ldap_escape_filter($value) {
138+ if (function_exists('ldap_escape')) {
139+ return ldap_escape($value, false, LDAP_ESCAPE_FILTER);
140+ }
141+ return preg_replace_callback('/[\\\\*()\0]/',
142+ '_pkwk_ldap_escape_callback', $value);
143+}
144+
145+function pkwk_ldap_escape_dn($value) {
146+ if (function_exists('ldap_escape')) {
147+ return ldap_escape($value, false, LDAP_ESCAPE_DN);
148+ }
149+ return preg_replace_callback('/[\\\\,=+<>;"#]/',
150+ '_pkwk_ldap_escape_callback', $value);
151+}
152+
131153
132154 // Basic-auth related ----
133155
@@ -342,7 +364,7 @@ function get_groups_from_username($user)
342364 $groups[] = $group;
343365 }
344366 }
345- // Implecit group that has same name as user itself
367+ // Implicit group that has same name as user itself
346368 $groups[] = $user;
347369 // 'valid-user' group for
348370 $valid_user = 'valid-user';
@@ -406,7 +428,8 @@ function ldap_auth($username, $password)
406428 ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
407429 if (preg_match('#\$login\b#', $ldap_bind_dn)) {
408430 // Bind by user credential
409- $bind_dn_user = preg_replace('#\$login#', $username, $ldap_bind_dn);
431+ $username_esc = pkwk_ldap_escape_dn($username);
432+ $bind_dn_user = preg_replace('#\$login\b#', $username_esc, $ldap_bind_dn);
410433 $ldap_bind_user = ldap_bind($ldapconn, $bind_dn_user, $password);
411434 if ($ldap_bind_user) {
412435 $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
@@ -465,9 +488,13 @@ function ldap_get_simple_user_info($username)
465488 * @return boolean
466489 */
467490 function get_ldap_user_info($ldapconn, $username, $base_dn) {
468- $filter = "(|(uid=$username)(sAMAccountName=$username))";
491+ $username_esc = pkwk_ldap_escape_filter($username);
492+ $filter = "(|(uid=$username_esc)(sAMAccountName=$username_esc))";
469493 $result1 = ldap_search($ldapconn, $base_dn, $filter, array('dn', 'uid', 'cn', 'samaccountname', 'displayname', 'mail'));
470494 $entries = ldap_get_entries($ldapconn, $result1);
495+ if (!isset($entries[0])) {
496+ return false;
497+ }
471498 $info = $entries[0];
472499 if (isset($info['dn'])) {
473500 $user_dn = $info['dn'];
Show on old repository browser