From: Reini U. <ru...@us...> - 2004-06-04 12:40:31
|
Update of /cvsroot/phpwiki/phpwiki/lib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30285 Modified Files: IniConfig.php WikiUser.php WikiUserNew.php main.php Log Message: Restrict valid usernames to prevent from attacks against external auth or compromise possible holes. Fix various WikiUser old issues with default IMAP,LDAP,POP3 configs. Removed these. Fxied more warnings Index: IniConfig.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/IniConfig.php,v retrieving revision 1.29 retrieving revision 1.30 diff -u -2 -b -p -d -r1.29 -r1.30 --- IniConfig.php 4 Jun 2004 11:58:38 -0000 1.29 +++ IniConfig.php 4 Jun 2004 12:40:21 -0000 1.30 @@ -108,7 +108,9 @@ function IniConfig($file) { //} elseif (array_key_exists($item, $rsdef)) { // define($item, $rsdef[$item]); - // calculate them later: + // calculate them later or not at all: } elseif (in_array($item,array('DATABASE_PREFIX', 'SERVER_NAME', 'SERVER_PORT', - 'SCRIPT_NAME', 'DATA_PATH', 'PHPWIKI_DIR', 'VIRTUAL_PATH'))) { + 'SCRIPT_NAME', 'DATA_PATH', 'PHPWIKI_DIR', 'VIRTUAL_PATH', + 'LDAP_AUTH_HOST','IMAP_AUTH_HOST','POP3_AUTH_HOST'))) + { ; } else { @@ -214,4 +216,5 @@ function IniConfig($file) { // LDAP bind options global $LDAP_SET_OPTION; + if (isset($rs['LDAP_SET_OPTION'])) { $optlist = preg_split('/\s*:\s*/', @$rs['LDAP_SET_OPTION']); foreach ($optlist as $opt) { @@ -224,4 +227,5 @@ function IniConfig($file) { } } + } // Now it's the external DB authentication stuff's turn @@ -538,4 +542,6 @@ function fix_configs() { if (!defined('REQUIRE_SIGNIN_BEFORE_EDIT')) define('REQUIRE_SIGNIN_BEFORE_EDIT', ! ALLOW_ANON_EDIT); if (!defined('ALLOW_BOGO_LOGIN')) define('ALLOW_BOGO_LOGIN', true); + if (!defined('ALLOW_LDAP_LOGIN')) define('ALLOW_LDAP_LOGIN', defined('LDAP_AUTH_HOST')); + if (!defined('ALLOW_IMAP_LOGIN')) define('ALLOW_IMAP_LOGIN', defined('IMAP_AUTH_HOST')); if (ALLOW_USER_LOGIN and !empty($DBAuthParams) and empty($DBAuthParams['auth_dsn'])) { @@ -546,4 +552,10 @@ function fix_configs() { // $Log$ +// Revision 1.30 2004/06/04 12:40:21 rurban +// Restrict valid usernames to prevent from attacks against external auth or compromise +// possible holes. +// Fix various WikiUser old issues with default IMAP,LDAP,POP3 configs. Removed these. +// Fxied more warnings +// // Revision 1.29 2004/06/04 11:58:38 rurban // added USE_TAGLINES Index: WikiUser.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUser.php,v retrieving revision 1.56 retrieving revision 1.57 diff -u -2 -b -p -d -r1.56 -r1.57 --- WikiUser.php 3 Jun 2004 12:36:03 -0000 1.56 +++ WikiUser.php 4 Jun 2004 12:40:21 -0000 1.57 @@ -24,4 +24,7 @@ define('WIKIAUTH_ADMIN', 10); // Wiki A define('WIKIAUTH_UNOBTAINABLE', 100); // Permissions that no user can achieve +if (!defined('COOKIE_EXPIRATION_DAYS')) define('COOKIE_EXPIRATION_DAYS', 365); +if (!defined('COOKIE_DOMAIN')) define('COOKIE_DOMAIN', '/'); + $UserPreferences = array( 'userid' => new _UserPreference(''), // really store this also? @@ -36,5 +39,6 @@ $UserPreferences = array( 'editHeight' => new _UserPreference_int(22, 5, 80), 'timeOffset' => new _UserPreference_numeric(0, -26, 26), - 'relativeDates' => new _UserPreference_bool() + 'relativeDates' => new _UserPreference_bool(), + 'googleLink' => new _UserPreference_bool(), // 1.3.10 ); @@ -158,4 +162,10 @@ class WikiUser { } + function isValidName ($userid = false) { + if (!$userid) + $userid = $this->_userid; + return preg_match("/^[\w\.@\-]+$/",$userid) and strlen($userid) < 32; + } + function AuthCheck ($postargs) { // Normalize args, and extract. @@ -174,4 +184,7 @@ class WikiUser { return false; // Nothing to do? + if (!$this->isValidName($userid)) + return _("Invalid username."); + $authlevel = $this->_pwcheck($userid, $passwd); if (!$authlevel) @@ -250,4 +263,8 @@ class WikiUser { // Check if we have the user. If not try other methods. if (ALLOW_USER_LOGIN) { // && !empty($passwd)) { + if (!$this->isValidName($userid)) { + trigger_error(_("Invalid username."), E_USER_WARNING); + return false; + } $request = $this->_request; // first check if the user is known @@ -257,5 +274,5 @@ class WikiUser { } else { // else try others such as LDAP authentication: - if (ALLOW_LDAP_LOGIN && !empty($passwd) && !strstr($userid,'*')) { + if (ALLOW_LDAP_LOGIN && defined(LDAP_AUTH_HOST) && !empty($passwd) && !strstr($userid,'*')) { if ($ldap = ldap_connect(LDAP_AUTH_HOST)) { // must be a valid LDAP server! $r = @ldap_bind($ldap); // this is an anonymous bind @@ -723,4 +740,10 @@ class UserPreferences { // $Log$ +// Revision 1.57 2004/06/04 12:40:21 rurban +// Restrict valid usernames to prevent from attacks against external auth or compromise +// possible holes. +// Fix various WikiUser old issues with default IMAP,LDAP,POP3 configs. Removed these. +// Fxied more warnings +// // Revision 1.56 2004/06/03 12:36:03 rurban // fix eval warning on signin Index: WikiUserNew.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUserNew.php,v retrieving revision 1.86 retrieving revision 1.87 diff -u -2 -b -p -d -r1.86 -r1.87 --- WikiUserNew.php 3 Jun 2004 18:06:29 -0000 1.86 +++ WikiUserNew.php 4 Jun 2004 12:40:21 -0000 1.87 @@ -196,5 +196,5 @@ function _determineBogoUserOrPassUser($U if (_isUserPasswordsAllowed()) { // PassUsers override BogoUsers if a password is stored - if (isset($_BogoUser) and $_BogoUser->_prefs->get('passwd')) + if (isset($_BogoUser) and isset($_BogoUser->_prefs) and $_BogoUser->_prefs->get('passwd')) return new _PassUser($UserName,$_BogoUser->_prefs); else { @@ -524,4 +524,10 @@ class _WikiUser } + function isValidName ($userid = false) { + if (!$userid) + $userid = $this->_userid; + return preg_match("/^[\w\.@\-]+$/",$userid) and strlen($userid) < 32; + } + /** * Called on an auth_args POST request, such as login, logout or signin. @@ -547,12 +553,27 @@ class _WikiUser return false; // Nothing to do? + if (!$this->isValidName($userid)) + return _("Invalid username.");; + $authlevel = $this->checkPass($passwd === false ? '' : $passwd); - if (!$authlevel) { + if ($authlevel <= 0) { // anon or forbidden if ($passwd) return _("Invalid password."); else return _("Invalid password or userid."); - } elseif ($authlevel < $require_level) + } elseif ($authlevel < $require_level) { // auth ok, but not enough + if (!empty($this->_current_method) and strtolower(get_class($this)) == '_passuser') + { + // upgrade class + $class = "_" . $this->_current_method . "PassUser"; + $user = new $class($userid,$this->_prefs); + /*PHP5 patch*/$this = $user; + $this->_level = $authlevel; + return $user; + } + $this->_userid = $userid; + $this->_level = $authlevel; return _("Insufficient permissions."); + } // Successful login. @@ -823,4 +844,6 @@ extends _AnonUser //global $DBAuthParams, $DBParams; if ($UserName) { + if (!$this->isValidName($UserName)) + return false; $this->_userid = $UserName; if ($this->hasHomePage()) @@ -1363,5 +1386,5 @@ extends _PassUser // todo: older php's $username = $this->_http_username(); - if (empty($username) or $username != $this->_userid) { + if (empty($username) or strtolower($username) != strtolower($this->_userid)) { header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"'); header('HTTP/1.0 401 Unauthorized'); @@ -1477,4 +1500,8 @@ extends _PassUser if (!isset($this->_prefs->_method)) _PassUser::_PassUser($UserName); + elseif (!$this->isValidName($UserName)) { + trigger_error(_("Invalid username."),E_USER_WARNING); + return false; + } $this->_authmethod = 'Db'; //$this->getAuthDbh(); @@ -1530,4 +1557,8 @@ extends _DbPassUser if (!isset($this->_prefs->_method)) _PassUser::_PassUser($UserName); + elseif (!$this->isValidName($UserName)) { + trigger_error(_("Invalid username."), E_USER_WARNING); + return false; + } $this->_userid = $UserName; // make use of session data. generally we only initialize this every time, @@ -1599,4 +1630,7 @@ extends _DbPassUser return $this->_tryNextUser(); } + if (!$this->isValidName()) { + return $this->_tryNextUser(); + } $dbi =& $GLOBALS['request']->_dbi; // Prepare the configured auth statements @@ -1647,4 +1681,7 @@ extends _DbPassUser return $this->_tryNextPass($submitted_password); } + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } if (!isset($this->_authselect)) $this->userExists(); @@ -1679,4 +1716,7 @@ extends _DbPassUser function storePass($submitted_password) { + if (!$this->isValidName()) { + return false; + } $this->getAuthDbh(); $dbh = &$this->_auth_dbi; @@ -1725,4 +1765,8 @@ extends _DbPassUser _PassUser::_PassUser($UserName); } + if (!$this->isValidName($UserName)) { + trigger_error(_("Invalid username."),E_USER_WARNING); + return false; + } $this->_userid = $UserName; $this->getAuthDbh(); @@ -1794,4 +1838,7 @@ extends _DbPassUser return $this->_tryNextUser(); } + if (!$this->isValidName()) { + return $this->_tryNextUser(); + } $dbi =& $GLOBALS['request']->_dbi; if (empty($this->_authselect) and $dbi->getAuthParam('auth_check')) { @@ -1852,4 +1899,7 @@ extends _DbPassUser return $this->_tryNextPass($submitted_password); } + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } $dbh =& $this->_auth_dbi; $dbi =& $GLOBALS['request']->_dbi; @@ -1928,5 +1978,4 @@ extends _DbPassUser return $rs; } - } @@ -1944,4 +1993,7 @@ extends _PassUser $this->_authmethod = 'LDAP'; $userid = $this->_userid; + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } if (strstr($userid,'*')) { trigger_error(fmt("Invalid username '%s' for LDAP Auth",$userid),E_USER_WARNING); @@ -2047,4 +2099,7 @@ extends _PassUser { function checkPass($submitted_password) { + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } $userid = $this->_userid; $mbox = @imap_open( "{" . IMAP_AUTH_HOST . "}", @@ -2084,4 +2139,7 @@ extends _IMAPPassUser { */ function checkPass($submitted_password) { + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } $userid = $this->_userid; $pass = $submitted_password; @@ -2152,5 +2210,4 @@ extends _PassUser _PassUser::_PassUser($UserName); } - $this->_userid = $UserName; // read the .htaccess style file. We use our own copy of the standard pear class. @@ -2173,4 +2230,7 @@ extends _PassUser function userExists() { + if (!$this->isValidName()) { + return $this->_tryNextUser(); + } $this->_authmethod = 'File'; if (isset($this->_file->users[$this->_userid])) @@ -2181,4 +2241,7 @@ extends _PassUser function checkPass($submitted_password) { + if (!$this->isValidName()) { + return $this->_tryNextPass($submitted_password); + } //include_once 'lib/pear/File_Passwd.php'; if ($this->_file->verifyPassword($this->_userid, $submitted_password)) { @@ -2192,4 +2255,7 @@ extends _PassUser function storePass($submitted_password) { + if (!$this->isValidName()) { + return false; + } if ($this->_may_change) { $this->_file = new File_Passwd($this->_file->_filename, true, $this->_file->_filename.'.lock'); @@ -2231,6 +2297,6 @@ extends _PassUser $stored_password = ADMIN_PASSWD; else { + return $this->_tryNextPass($submitted_password); // TODO: safety check if really member of the ADMIN group? - $stored_password = $this->_pref->get('passwd'); } @@ -2921,4 +2987,10 @@ extends UserPreferences // $Log$ +// Revision 1.87 2004/06/04 12:40:21 rurban +// Restrict valid usernames to prevent from attacks against external auth or compromise +// possible holes. +// Fix various WikiUser old issues with default IMAP,LDAP,POP3 configs. Removed these. +// Fxied more warnings +// // Revision 1.86 2004/06/03 18:06:29 rurban // fix file locking issues (only needed on write) Index: main.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/main.php,v retrieving revision 1.156 retrieving revision 1.157 diff -u -2 -b -p -d -r1.156 -r1.157 --- main.php 3 Jun 2004 17:58:16 -0000 1.156 +++ main.php 4 Jun 2004 12:40:21 -0000 1.157 @@ -83,5 +83,5 @@ $this->version = phpwiki_version(); function initializeLang () { $user_lang = $this->getPref('lang'); - $_lang = $this->_prefs->_prefs['lang']; + $_lang = @$this->_prefs->_prefs['lang']; //check changed LANG and THEME inside a session. // (e.g. by using another baseurl) @@ -105,5 +105,5 @@ $this->version = phpwiki_version(); // Load theme $user_theme = $this->getPref('theme'); - $_theme = $this->_prefs->_prefs['theme']; + $_theme = @$this->_prefs->_prefs['theme']; //check changed LANG and THEME inside a session. // (e.g. by using another baseurl) @@ -284,5 +284,6 @@ $this->version = phpwiki_version(); $this->_user = $user; define('MAIN_setUser',true); - $this->setCookieVar('WIKI_ID', $user->getAuthenticatedId(), COOKIE_EXPIRATION_DAYS, COOKIE_DOMAIN); + $this->setCookieVar('WIKI_ID', $user->getAuthenticatedId(), + COOKIE_EXPIRATION_DAYS, COOKIE_DOMAIN); $this->setSessionVar('wiki_user', $user); if ($user->isSignedIn()) @@ -290,5 +291,5 @@ $this->version = phpwiki_version(); // Save userid to prefs.. - if ( ! $this->_user->_prefs ) { + if ( empty($this->_user->_prefs)) { $this->_user->_prefs = $this->_user->getPreferences(); $this->_prefs =& $this->_user->_prefs; @@ -990,4 +991,10 @@ main(); // $Log$ +// Revision 1.157 2004/06/04 12:40:21 rurban +// Restrict valid usernames to prevent from attacks against external auth or compromise +// possible holes. +// Fix various WikiUser old issues with default IMAP,LDAP,POP3 configs. Removed these. +// Fxied more warnings +// // Revision 1.156 2004/06/03 17:58:16 rurban // support immediate LANG and THEME switch inside a session |