[SUCS Devel] [Git][sucssite/sucs-site][beta] 2 commits: [login] filter out everything but A-Z a-z 0-9 . - _ from username

Imran Hussain (@imranh) gitlab at projects.sucs.org
Thu May 4 20:49:09 BST 2023



Imran Hussain pushed to branch beta at sucssite / sucs-site


Commits:
7c7c9c20 by Imran Hussain at 2023-05-04T20:43:52+01:00
[login] filter out everything but A-Z a-z 0-9 . - _ from username

- - - - -
6d8b6ea7 by Imran Hussain at 2023-05-04T19:49:03+00:00
Merge branch 'master' into 'beta'

[login] filter out everything but A-Z a-z 0-9 . - _ from username

See merge request sucssite/sucs-site!129
- - - - -


2 changed files:

- lib/ldap-auth.php
- lib/session.php


Changes:

=====================================
lib/ldap-auth.php
=====================================
@@ -12,7 +12,7 @@ will return "nope" if the user/pass passed is inavlid
 
 Example usage:
 
-include_once("ldap-auth.php");
+require "ldap-auth.php";
 
 isAuthd = ldapAuth("usaername", "password");
 
@@ -29,6 +29,8 @@ if (isAuthd == "sucs"){
 // we don't care about warnings, we write our own
 error_reporting(E_ERROR | E_PARSE);
 
+define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
+
 function ldapAuth($username, $password)
 {
 
@@ -45,24 +47,29 @@ function ldapAuth($username, $password)
             $username = implode("@", $s);
         }
 
+        // filter out everything but A-Z a-z 0-9 . - _ from username
+        $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username);
+
+        // if safeusername isn't the same as username just error out
+        if ($safeusername != $username) {
+            return "nope";
+        }
+
         // ldap servers
         $sucsLDAPServer = 'silver.sucs.swan.ac.uk';
-        $lisLDAPServer = 'ccs-suld1.swan.ac.uk';
-
-        // lis auth stuffs
-        $lisUsernameOu = substr($username, -1);
-        $lisOtherOu = "Moved";
+        $issLDAPServer = '192.168.10.16';
 
         // how to bind
-        $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org";
-        $lisBindDn1 = "cn=$username,ou=$lisUsernameOu,ou=Students,ou=SWANSEA,o=SWANUNI";
-        $lisBindDn2 = "cn=$username,ou=$lisOtherOu,ou=Students,ou=SWANSEA,o=SWANUNI";
+        $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org";
+        $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea";
 
         // Main auth
 
         // Try and connect to silver
         $ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server.");
 
+        ldap_set_option($ldapconnSUCS,LDAP_OPT_PROTOCOL_VERSION,3);
+
         if ($ldapconnSUCS) {
 
             //echo "Connected to $sucsLDAPServer <br>";
@@ -73,28 +80,28 @@ function ldapAuth($username, $password)
             if ($ldapbindSUCS) {
                 //echo "Auth'd as $username using SUCS LDAP<br>";
                 return "sucs";
-                // turns out they didn't give us valid sucs creds, lets try lis now
+                // turns out they didn't give us valid sucs creds, lets try iss now
             } else {
 
-                // try and connect to the lis ldap server
-                $ldapconnLIS = ldap_connect($lisLDAPServer) or die("Could not connect to uni LDAP server.");
-                //echo "Connected to $lisLDAPServer <br>";
+                // try and connect to the iss ldap server
+                $ldapconnISS = ldap_connect($issLDAPServer) or die("Could not connect to uni LDAP server.");
+                // echo "Connected to $issLDAPServer <br>";
+
+                ldap_set_option($ldapconnISS,LDAP_OPT_PROTOCOL_VERSION,3);
 
                 // lets try and bind to the uni ldap
-                $ldapbindLIS1 = ldap_bind($ldapconnLIS, $lisBindDn1, $password);
-                if ($ldapbindLIS1) {
-                    //echo "Auth'd as $username using uni LDAP using ou=$lisUsernameOu<br>";
+                $ldapbindiss = ldap_bind($ldapconnISS, $issBindDn, $password);
+
+                /*if (ldap_get_option($ldapconnISS, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
+                   echo "Error Binding to LDAP: $extended_error";
+                }*/
+
+                if ($ldapbindiss) {
+                    //echo "Auth'd as $username using uni LDAP using ou=$issUsernameOu<br>";
                     return "uni";
                 } else {
-                    $ldapbindLIS2 = ldap_bind($ldapconnLIS, $lisBindDn2, $password);
-                    if ($ldapbindLIS2) {
-                        //echo "Auth'd as $username using uni LDAP using ou=moved<br>";
-                        return "uni";
-                        // shit, couldn't bind to anything
-                    } else {
-                        //exit("Invalid Username or Password");
-                        return "nope";
-                    }
+                    //exit("Invalid Username or Password");
+                    return "nope";
                 }
             }
         }


=====================================
lib/session.php
=====================================
@@ -116,7 +116,15 @@ class Session
 
         // Is this a login attempt ?
         if ($submit != '' && $session_user != '' && $session_pass != '') {
-            $this->session_init($session_user, $session_pass);
+            // filter out everything but A-Z a-z 0-9 . - _ from username
+            $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $session_user);
+            if ($safeusername != $session_user) {
+                trigger_error("Invalid username", E_USER_NOTICE);
+                $this->newsession();
+                return;
+            } elseif ($safeusername == $session_user) {
+                $this->session_init($safeusername, $session_pass);
+            }
         }
 
         // Retrieve session information



View it on GitLab: https://projects.sucs.org/sucssite/sucs-site/-/compare/7701a44783caaa5c6267144fd06747ffc7f4de17...6d8b6ea7192efa308646c1b7a6bec38ba2a4ad7f

-- 
View it on GitLab: https://projects.sucs.org/sucssite/sucs-site/-/compare/7701a44783caaa5c6267144fd06747ffc7f4de17...6d8b6ea7192efa308646c1b7a6bec38ba2a4ad7f
You're receiving this email because of your account on projects.sucs.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sucs.org/pipermail/devel/attachments/20230504/5291ee52/attachment-0001.html>


More information about the Devel mailing list