From 191bb90af90d4b063435ee55d67082e7453ed1fb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 13 Nov 2009 11:22:49 +0100 Subject: [PATCH] Added group and user sanitation Ignore-this: 26392125523d2c822580346074330ebe darcs-hash:20091113102249-7ad00-4cede040a940d739bd34d548e12956e8d8609cfa.gz --- inc/auth.php | 13 +++++++------ inc/auth/basic.class.php | 42 +++++++++++++++++++++++++++++++++++++++++- inc/auth/plain.class.php | 16 ++++++++++++++++ 3 files changed, 64 insertions(+), 7 deletions(-) diff --git a/inc/auth.php b/inc/auth.php index 7dd7eb557..6157ac892 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -74,6 +74,9 @@ if($conf['useacl']){ $_REQUEST['http_credentials'] = true; } + // apply cleaning + $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + if(isset($_REQUEST['authtok'])){ // when an authentication token is given, trust the session auth_validateToken($_REQUEST['authtok']); @@ -90,13 +93,10 @@ if($conf['useacl']){ $evt = new Doku_Event('AUTH_LOGIN_CHECK',$evdata); if($evt->advise_before()){ auth_login($evdata['user'], - $evdata['password'], - $evdata['sticky'], - $evdata['silent']); + $evdata['password'], + $evdata['sticky'], + $evdata['silent']); } - $evt->advise_after(); - unset($evt); - unset($evdata); } } @@ -104,6 +104,7 @@ if($conf['useacl']){ global $AUTH_ACL; if(is_readable(DOKU_CONF.'acl.auth.php')){ $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); + //support user wildcard if(isset($_SERVER['REMOTE_USER'])){ $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL); $AUTH_ACL = str_replace('@USER@',$_SERVER['REMOTE_USER'],$AUTH_ACL); //legacy diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php index 5af70a47a..a1f77dea5 100644 --- a/inc/auth/basic.class.php +++ b/inc/auth/basic.class.php @@ -128,7 +128,7 @@ class auth_basic { * only be needed when trustExternal is implemented. * * @see auth_logoff() - * @author Andreas Gohr + * @author Andreas Gohr */ function logOff(){ } @@ -322,6 +322,46 @@ class auth_basic { return array(); } + /** + * Sanitize a given username [OPTIONAL] + * + * This function is applied to any user name that is given to + * the backend and should also be applied to any user name within + * the backend before returning it somewhere. + * + * This should be used to enforce username restrictions. Eg. when + * the backend is case insensitive all usernames should be lowercased + * here. + * + * @author Andreas Gohr + * @param string $user - username + * @param string - the cleaned username + */ + function cleanUser($user){ + return $user; + } + + /** + * Sanitize a given groupname [OPTIONAL] + * + * This function is applied to any groupname that is given to + * the backend and should also be applied to any groupname within + * the backend before returning it somewhere. + * + * This should be used to enforce groupname restrictions. Eg. when + * the backend is case insensitive all groupames should be lowercased + * here. + * + * Groupnames are to be passed without a leading '@' here. + * + * @author Andreas Gohr + * @param string $group - groupname + * @param string - the cleaned groupname + */ + function cleanGroup($group){ + return $group; + } + /** * Check Session Cache validity [implement only where required/possible] diff --git a/inc/auth/plain.class.php b/inc/auth/plain.class.php index 68976287a..0ff18d58a 100644 --- a/inc/auth/plain.class.php +++ b/inc/auth/plain.class.php @@ -261,6 +261,22 @@ class auth_plain extends auth_basic { } /** + * Only valid pageid's (no namespaces) for usernames + */ + function cleanUser($user){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$user)); + } + + /** + * Only valid pageid's (no namespaces) for groupnames + */ + function cleanGroup($user){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$group)); + } + + /** * Load all user data * * loads the user file into a datastructure -- 2.11.4.GIT