mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 12:03:21 +01:00
Code Issues Releases Wiki Activity

Correct escaping/unescaping in the LDAP authentication plugin. #48175

Browse Source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9769 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Chris Smith 2009-07-17 13:21:03 +00:00
parent ab9715a9fe
commit 5f6db9584c
3 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
phpBB/config.php
View File

@ -0,0 +1,17 @@
<?php
// phpBB 3.0.x auto-generated configuration file
// Do not change anything in this file!
$dbms = 'mysqli';
$dbhost = '';
$dbport = '';
$dbname = 'phpbb';
$dbuser = 'root';
$dbpasswd = 'testing';
$table_prefix = 'phpbb_';
$acm_type = 'file';
$load_extensions = '';
@define('PHPBB_INSTALLED', true);
@define('DEBUG', true);
@define('DEBUG_EXTRA', true);
?>

1
phpBB/docs/CHANGELOG.html
View File

@ -158,6 +158,7 @@
<li>[Fix] Fix &quot;Always show a scrollbar for short pages&quot; for IE8 and Firefox 3.5 (Bug #47865 - Patch by stokerpiller)</li> <li>[Fix] Fix &quot;Always show a scrollbar for short pages&quot; for IE8 and Firefox 3.5 (Bug #47865 - Patch by stokerpiller)</li>
<li>[Fix] Do not allow setting group as default group for pending user (Bug #45675 - Patch by nickvergessen)</li> <li>[Fix] Do not allow setting group as default group for pending user (Bug #45675 - Patch by nickvergessen)</li>
<li>[Fix] Fail gracefully if store folder is not writable during update. (Bugs #46615, #46945)</li> <li>[Fix] Fail gracefully if store folder is not writable during update. (Bugs #46615, #46945)</li>
<li>[Fix] Correct escaping/unescaping in the LDAP authentication plugin. (Bug #48175)</li>
<li>[Change] Change the data format of the default file ACM to be more secure from tampering and have better performance.</li> <li>[Change] Change the data format of the default file ACM to be more secure from tampering and have better performance.</li>
<li>[Change] Add index on log_time to the log table to prevent slowdown on boards with many log entries. (Bug #44665 - Patch by bantu)</li> <li>[Change] Add index on log_time to the log table to prevent slowdown on boards with many log entries. (Bug #44665 - Patch by bantu)</li>
<li>[Change] Template engine now permits to a limited extent variable includes.</li> <li>[Change] Template engine now permits to a limited extent variable includes.</li>

18
phpBB/includes/auth/auth_ldap.php
View File

@ -63,9 +63,11 @@ function init_ldap()
// ldap_connect only checks whether the specified server is valid, so the connection might still fail // ldap_connect only checks whether the specified server is valid, so the connection might still fail
$search = @ldap_search( $search = @ldap_search(
$ldap, $ldap,
$config['ldap_base_dn'], htmlspecialchars_decode($config['ldap_base_dn']),
ldap_user_filter($user->data['username']), ldap_user_filter($user->data['username']),
(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), (empty($config['ldap_email'])) ?
array(htmlspecialchars_decode($config['ldap_uid'])) :
array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
0, 0,
1 1
); );
@ -85,7 +87,7 @@ function init_ldap()
return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
} }
if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])]))
{ {
return $user->lang['LDAP_NO_EMAIL']; return $user->lang['LDAP_NO_EMAIL'];
} }
@ -152,7 +154,7 @@ function login_ldap(&$username, &$password)
if ($config['ldap_user'] || $config['ldap_password']) if ($config['ldap_user'] || $config['ldap_password'])
{ {
if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password']))) if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password'])))
{ {
return $user->lang['LDAP_NO_SERVER_CONNECTION']; return $user->lang['LDAP_NO_SERVER_CONNECTION'];
} }
@ -160,9 +162,11 @@ function login_ldap(&$username, &$password)
$search = @ldap_search( $search = @ldap_search(
$ldap, $ldap,
$config['ldap_base_dn'], htmlspecialchars_decode($config['ldap_base_dn']),
ldap_user_filter($username), ldap_user_filter($username),
(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), (empty($config['ldap_email'])) ?
array(htmlspecialchars_decode($config['ldap_uid'])) :
array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
0, 0,
1 1
); );
@ -223,7 +227,7 @@ function login_ldap(&$username, &$password)
$ldap_user_row = array( $ldap_user_row = array(
'username' => $username, 'username' => $username,
'user_password' => phpbb_hash($password), 'user_password' => phpbb_hash($password),
'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '', 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '',
'group_id' => (int) $row['group_id'], 'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL, 'user_type' => USER_NORMAL,
'user_ip' => $user->ip, 'user_ip' => $user->ip,