Update of /cvsroot/phpwiki/phpwiki/lib/WikiUser
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv2118
Modified Files:
LDAP.php
Log Message:
Important! Fixes bug #1732882 ldap_bind with empty password
Adds diagnostics on other ldap failures
Fix password quoting
Index: LDAP.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUser/LDAP.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -2 -b -p -d -r1.7 -r1.8
--- LDAP.php 30 May 2007 21:56:17 -0000 1.7
+++ LDAP.php 7 Jun 2007 16:31:33 -0000 1.8
@@ -1,5 +1,5 @@
<?php //-*-php-*-
rcs_id('$Id$');
-/* Copyright (C) 2004 $ThePhpWikiProgrammingTeam
+/* Copyright (C) 2004,2007 $ThePhpWikiProgrammingTeam
* This file is part of PhpWiki. Terms and Conditions see LICENSE. (GPL2)
*/
@@ -57,7 +57,15 @@ extends _PassUser
if (!$this->isValidName()) {
trigger_error(_("Invalid username."), E_USER_WARNING);
+ $this->_free();
return $this->_tryNextPass($submitted_password);
}
if (!$this->_checkPassLength($submitted_password)) {
+ $this->_free();
+ return WIKIAUTH_FORBIDDEN;
+ }
+ // A LDAP speciality: empty passwords are valid with ldap_bind!!!
+ if (strlen($password) == 0) {
+ trigger_error(_("Empty password not allowed for LDAP"),
E_USER_WARNING);
+ $this->_free();
return WIKIAUTH_FORBIDDEN;
}
@@ -74,4 +82,5 @@ extends _PassUser
: "uid=$userid";
if (!$this->_sr = ldap_search($ldap, LDAP_BASE_DN, $st_search)) {
+ trigger_error(_("Could not search in LDAP"), E_USER_WARNING);
$this->_free();
return $this->_tryNextPass($submitted_password);
@@ -79,4 +88,6 @@ extends _PassUser
$info = ldap_get_entries($ldap, $this->_sr);
if (empty($info["count"])) {
+ if (DEBUG)
+ trigger_error(_("User not found in LDAP"), E_USER_WARNING);
$this->_free();
return $this->_tryNextPass($submitted_password);
@@ -90,7 +101,11 @@ extends _PassUser
// Quoting is done by \xx (two-digit hexcode). * <=> \2a
// Handling '?' is unspecified
- $password =
preg_replace(array("/\*/","/\(/","/\)/","/\\/","/\0/"),
- array('\2a', '\28','\29', '\5c',
'\00'),
- $submitted_password);
+ $password = strtr($submitted_password,
+ array("*" => "\\2a",
+ "?" => "\\3f",
+ "(" => "\\28",
+ ")" => "\\29",
+ "\\" => "\\5c",
+ "\0" => "\\00"));
// On wrong password the ldap server will return:
// "Unable to bind to server: Server is unwilling to perform"
@@ -107,5 +122,12 @@ extends _PassUser
}
}
+ if (DEBUG)
+ trigger_error(_("Wrong password: ") .
+ str_repeat("*",strlen($submitted_password)),
+ E_USER_WARNING);
$this->_free();
+ } else {
+ $this->_free();
+ trigger_error(_("Could not connect to LDAP"), E_USER_WARNING);
}
@@ -142,4 +164,5 @@ extends _PassUser
if ($info["count"] > 0) {
$this->_free();
+ UpgradeUser($GLOBALS['ForbiddenUser'], $this);
return true;
}
@@ -156,4 +179,9 @@ extends _PassUser
// $Log$
+// Revision 1.8 2007/06/07 16:31:33 rurban
+// Important! Fixes bug #1732882 ldap_bind with empty password
+// Adds diagnostics on other ldap failures
+// Fix password quoting
+//
// Revision 1.7 2007/05/30 21:56:17 rurban
// Back to default uid for LDAP
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
|
