- auto sync attachment topic flag [Bug #2949]

- corrected paths for templates stored in the db and filenames displayed in the template editor [Bug #3662] - removed some useless language strings [Bug #3648] - corrected escaping of usernames and passwords in auth modules [Bug #3696], added ldap_escape git-svn-id: file:///svn/phpbb/trunk@6266 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-08-07 01:06:48 +02:00 · 2006-08-12 01:58:58 +00:00
parent b5a6291fa5
commit b1ef984526
6 changed files with 32 additions and 16 deletions
--- a/phpBB/includes/acp/acp_styles.php
+++ b/phpBB/includes/acp/acp_styles.php
@@ -2355,7 +2355,7 @@ pagination_sep = \'{PAGINATION_SEP}\'
 				// heck of a lot of data ...
 				$sql_ary = array(
 					'template_id'			=> $style_id,
-					'template_filename'		=> "$template_path$pathfile$file",
+					'template_filename'		=> "$pathfile$file",
 					'template_included'		=> (isset($includes[$file])) ? implode(':', $includes[$file]) . ':' : '',
 					'template_mtime'		=> filemtime("{$phpbb_root_path}styles/$template_path$pathfile$file"),
 					'template_data'			=> file_get_contents("{$phpbb_root_path}styles/$template_path$pathfile$file"),
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@@ -121,6 +121,9 @@ function autologin_apache()

 	if (!empty($php_auth_user) && !empty($php_auth_pw))
 	{
+		set_var($php_auth_user, $php_auth_user, 'string');
+		set_var($php_auth_pw, $php_auth_pw, 'string');
+
 		$sql = 'SELECT *
 			FROM ' . USERS_TABLE . "
 			WHERE username = '" . $db->sql_escape($php_auth_user) . "'";
@@ -190,7 +193,15 @@ function user_row_apache($username, $password)
 */
 function validate_session_apache(&$user)
 {
-	return (isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER'] === $user['username'])) ? true : false;
+	if (!isset($_SERVER['PHP_AUTH_USER']))
+	{
+		return false;
+	}
+
+	$php_auth_user = '';
+	set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string');
+
+	return ($php_auth_user === $user['username']) ? true : false;
 }

 ?>
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@@ -38,7 +38,7 @@ function init_ldap()
 	$search = @ldap_search(
 		$ldap,
 		$config['ldap_base_dn'],
-		'(' . $config['ldap_uid'] . '=' . $user->data['username'] . ')',
+		'(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($user->data['username'])) . ')',
 		(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
 		0,
 		1
@@ -53,17 +53,18 @@ function init_ldap()

 	@ldap_close($ldap);

+
+	if (!is_array($result) || sizeof($result) < 2)
+	{
+		return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
+	}
+
 	if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']]))
 	{
 		return $user->lang['LDAP_NO_EMAIL'];
 	}

-	if (is_array($result) && sizeof($result) > 1)
-	{
-		return false;
-	}
-
-	return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
+	return false;
 }

 /**
@@ -97,7 +98,7 @@ function login_ldap(&$username, &$password)
 	$search = @ldap_search(
 		$ldap,
 		$config['ldap_base_dn'],
-		'(' . $config['ldap_uid'] . '=' . $username . ')',
+		'(' . $config['ldap_uid'] . '=' . ldap_escape(html_entity_decode($username)) . ')',
 		(empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
 		0,
 		1
@@ -107,7 +108,7 @@ function login_ldap(&$username, &$password)

 	if (is_array($ldap_result) && sizeof($ldap_result) > 1)
 	{
-		if (@ldap_bind($ldap, $ldap_result[0]['dn'], $password))
+		if (@ldap_bind($ldap, $ldap_result[0]['dn'], html_entity_decode($password)))
 		{
 			@ldap_close($ldap);

@@ -198,6 +199,14 @@ function login_ldap(&$username, &$password)
 	);
 }

+/**
+* Escapes an LDAP AttributeValue
+*/
+function ldap_escape($string)
+{
+	return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string);
+}
+
 /**
 * This function is used to output any required fields in the authentication
 * admin panel. It also defines any required configuration table fields.
--- a/phpBB/includes/functions_admin.php
+++ b/phpBB/includes/functions_admin.php
@@ -465,6 +465,7 @@ function move_posts($post_ids, $topic_id, $auto_sync = true)
 		$forum_ids[] = $forum_row['forum_id'];

 		sync('topic_reported', 'topic_id', $topic_ids);
+		sync('topic_attachment', 'topic_id', $topic_ids);
 		sync('topic', 'topic_id', $topic_ids, true);
 		sync('forum', 'forum_id', $forum_ids, true);
 	}