do prevent empty password or invalid usernames in ldap authentification, fix...

do prevent empty password or invalid usernames in ldap authentification, fix ldap attribute syncronization

do prevent empty password or invalid usernames in ldap authentification, fix...
do prevent empty password or invalid usernames in ldap authentification, fix ldap attribute syncronization
cabb3e93 · Daniel Haag · 2bd139a4 · cabb3e93
Commit cabb3e93 authored Aug 25, 2014 by Daniel Haag
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 5 deletions

shared/code/tce_altauth.php shared/code/tce_altauth.php +19 -5

No files found.
--- a/shared/code/tce_altauth.php
+++ b/shared/code/tce_altauth.php
@@ -200,7 +200,6 @@ function F_altLogin() {
 			$ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
 			ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
 			ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); // recommended for W2K3
-			// bind anonymously and get dn for username.
 			if (K_LDAP_UTF8) {
 				$ldapusername = utf8_encode($_POST['xuser_name']);
 				$ldappassword = utf8_encode($_POST['xuser_password']);
@@ -208,26 +207,41 @@ function F_altLogin() {
 				$ldapusername = $_POST['xuser_name'];
 				$ldappassword = $_POST['xuser_password'];
 			}
+			// do not allow empty password or username with non alphanumeric chars.
+			if (
+				empty($ldapusername) OR
+				empty($ldappassword) OR
+				preg_match('/\x00/',$ldapusername) OR
+				preg_match('/\x00/',$ldappassword) OR
+				preg_match('/[^a-zA-Z0-9]/',$ldapusername)) {
+				return false;
+			}
 			$lbind = false;
 			if (K_LDAP_SYSTEM_DN && K_LDAP_SYSTEM_PW) {
+				// bind with system dn.
 				$lbind = ldap_bind($ldapconn, K_LDAP_SYSTEM_DN, K_LDAP_SYSTEM_PW);
 			} else {
+				// bind directly with the user supplied username and password.
 				$lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword);
 			}
 			if ($lbind) {
 				// Search user on LDAP tree
-				sort($ldap_attr);
 				$ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
-				if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
+				if ($search = ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, array_values($ldap_attr))) {
 					if ($rdns = ldap_get_entries($ldapconn, $search)) {
+						error_log(var_export($rdns,true));
 						if ( $rdns["count"] == 1 ) {
 							$rdn = $rdns[0];
 							if (ldap_bind($ldapconn, $rdn['dn'], $_POST['xuser_password'])) {
 								@ldap_unbind($ldapconn);
 								$usr = array();
 								foreach ($ldap_attr as $k => $v) {
-									if ((!empty($v)) AND isset($rdn[$v])) {
-										$usr[$k] = $rdn[$v];
+									if ((!empty($v)) AND array_key_exists($v,$rdn)) {
+										if (is_array($rdn[$v])) {
+											$usr[$k] = $rdn[$v][0];
+										} else {
+											$usr[$k] = $rdn[$v];
+										}
 									} else {
 										$usr[$k] = '';
 									}