do prevent empty password or invalid usernames in ldap authentification, fix...

do prevent empty password or invalid usernames in ldap authentification, fix ldap attribute syncronization

do prevent empty password or invalid usernames in ldap authentification, fix...
do prevent empty password or invalid usernames in ldap authentification, fix ldap attribute syncronization
cabb3e93 · Daniel Haag · 2bd139a4 · cabb3e93
Commit cabb3e93 authored Aug 25, 2014 by Daniel Haag
--- a/shared/code/tce_altauth.php
+++ b/shared/code/tce_altauth.php
@@ -200,7 +200,6 @@ function F_altLogin() {
 			$ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
 			ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
 			ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); // recommended for W2K3
-			// bind anonymously and get dn for username.
 			if (K_LDAP_UTF8) {
 				$ldapusername = utf8_encode($_POST['xuser_name']);
 				$ldappassword = utf8_encode($_POST['xuser_password']);
@@ -208,26 +207,41 @@ function F_altLogin() {
 				$ldapusername = $_POST['xuser_name'];
 				$ldappassword = $_POST['xuser_password'];
 			}
+			// do not allow empty password or username with non alphanumeric chars.
+			if (
+				empty($ldapusername) OR
+				empty($ldappassword) OR
+				preg_match('/\x00/',$ldapusername) OR
+				preg_match('/\x00/',$ldappassword) OR
+				preg_match('/[^a-zA-Z0-9]/',$ldapusername)) {
+				return false;
+			}
 			$lbind = false;
 			if (K_LDAP_SYSTEM_DN && K_LDAP_SYSTEM_PW) {
+				// bind with system dn.
 				$lbind = ldap_bind($ldapconn, K_LDAP_SYSTEM_DN, K_LDAP_SYSTEM_PW);
 			} else {
+				// bind directly with the user supplied username and password.
 				$lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword);
 			}
 			if ($lbind) {
 				// Search user on LDAP tree
-				sort($ldap_attr);
 				$ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
-				if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
+				if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, array_values($ldap_attr))) {
 					if ($rdns = ldap_get_entries($ldapconn, $search)) {
+						error_log(var_export($rdns,true));
 						if ( $rdns["count"] == 1 ) {
 							$rdn = $rdns[0];
 							if (ldap_bind($ldapconn, $rdn['dn'], $_POST['xuser_password'])) {
 								@ldap_unbind($ldapconn);
 								$usr = array();
 								foreach ($ldap_attr as $k => $v) {
-									if ((!empty($v)) AND isset($rdn[$v])) {
-										$usr[$k] = $rdn[$v];
+									if ((!empty($v)) AND array_key_exists($v,$rdn)) {
+										if (is_array($rdn[$v])) {
+											$usr[$k] = $rdn[$v][0];
+										} else {
+											$usr[$k] = $rdn[$v];
+										}
 									} else {
 										$usr[$k] = '';
 									}