[SUCS Devel] [Git][sucssite/sucs-site][beta] 2 commits: [login] filter out everything but A-Z a-z 0-9 . - _ from username
Imran Hussain (@imranh)
gitlab at projects.sucs.org
Thu May 4 20:49:09 BST 2023
Imran Hussain pushed to branch beta at sucssite / sucs-site
Commits:
7c7c9c20 by Imran Hussain at 2023-05-04T20:43:52+01:00
[login] filter out everything but A-Z a-z 0-9 . - _ from username
- - - - -
6d8b6ea7 by Imran Hussain at 2023-05-04T19:49:03+00:00
Merge branch 'master' into 'beta'
[login] filter out everything but A-Z a-z 0-9 . - _ from username
See merge request sucssite/sucs-site!129
- - - - -
2 changed files:
- lib/ldap-auth.php
- lib/session.php
Changes:
=====================================
lib/ldap-auth.php
=====================================
@@ -12,7 +12,7 @@ will return "nope" if the user/pass passed is inavlid
Example usage:
-include_once("ldap-auth.php");
+require "ldap-auth.php";
isAuthd = ldapAuth("usaername", "password");
@@ -29,6 +29,8 @@ if (isAuthd == "sucs"){
// we don't care about warnings, we write our own
error_reporting(E_ERROR | E_PARSE);
+define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
+
function ldapAuth($username, $password)
{
@@ -45,24 +47,29 @@ function ldapAuth($username, $password)
$username = implode("@", $s);
}
+ // filter out everything but A-Z a-z 0-9 . - _ from username
+ $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username);
+
+ // if safeusername isn't the same as username just error out
+ if ($safeusername != $username) {
+ return "nope";
+ }
+
// ldap servers
$sucsLDAPServer = 'silver.sucs.swan.ac.uk';
- $lisLDAPServer = 'ccs-suld1.swan.ac.uk';
-
- // lis auth stuffs
- $lisUsernameOu = substr($username, -1);
- $lisOtherOu = "Moved";
+ $issLDAPServer = '192.168.10.16';
// how to bind
- $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org";
- $lisBindDn1 = "cn=$username,ou=$lisUsernameOu,ou=Students,ou=SWANSEA,o=SWANUNI";
- $lisBindDn2 = "cn=$username,ou=$lisOtherOu,ou=Students,ou=SWANSEA,o=SWANUNI";
+ $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org";
+ $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea";
// Main auth
// Try and connect to silver
$ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server.");
+ ldap_set_option($ldapconnSUCS,LDAP_OPT_PROTOCOL_VERSION,3);
+
if ($ldapconnSUCS) {
//echo "Connected to $sucsLDAPServer <br>";
@@ -73,28 +80,28 @@ function ldapAuth($username, $password)
if ($ldapbindSUCS) {
//echo "Auth'd as $username using SUCS LDAP<br>";
return "sucs";
- // turns out they didn't give us valid sucs creds, lets try lis now
+ // turns out they didn't give us valid sucs creds, lets try iss now
} else {
- // try and connect to the lis ldap server
- $ldapconnLIS = ldap_connect($lisLDAPServer) or die("Could not connect to uni LDAP server.");
- //echo "Connected to $lisLDAPServer <br>";
+ // try and connect to the iss ldap server
+ $ldapconnISS = ldap_connect($issLDAPServer) or die("Could not connect to uni LDAP server.");
+ // echo "Connected to $issLDAPServer <br>";
+
+ ldap_set_option($ldapconnISS,LDAP_OPT_PROTOCOL_VERSION,3);
// lets try and bind to the uni ldap
- $ldapbindLIS1 = ldap_bind($ldapconnLIS, $lisBindDn1, $password);
- if ($ldapbindLIS1) {
- //echo "Auth'd as $username using uni LDAP using ou=$lisUsernameOu<br>";
+ $ldapbindiss = ldap_bind($ldapconnISS, $issBindDn, $password);
+
+ /*if (ldap_get_option($ldapconnISS, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
+ echo "Error Binding to LDAP: $extended_error";
+ }*/
+
+ if ($ldapbindiss) {
+ //echo "Auth'd as $username using uni LDAP using ou=$issUsernameOu<br>";
return "uni";
} else {
- $ldapbindLIS2 = ldap_bind($ldapconnLIS, $lisBindDn2, $password);
- if ($ldapbindLIS2) {
- //echo "Auth'd as $username using uni LDAP using ou=moved<br>";
- return "uni";
- // shit, couldn't bind to anything
- } else {
- //exit("Invalid Username or Password");
- return "nope";
- }
+ //exit("Invalid Username or Password");
+ return "nope";
}
}
}
=====================================
lib/session.php
=====================================
@@ -116,7 +116,15 @@ class Session
// Is this a login attempt ?
if ($submit != '' && $session_user != '' && $session_pass != '') {
- $this->session_init($session_user, $session_pass);
+ // filter out everything but A-Z a-z 0-9 . - _ from username
+ $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $session_user);
+ if ($safeusername != $session_user) {
+ trigger_error("Invalid username", E_USER_NOTICE);
+ $this->newsession();
+ return;
+ } elseif ($safeusername == $session_user) {
+ $this->session_init($safeusername, $session_pass);
+ }
}
// Retrieve session information
View it on GitLab: https://projects.sucs.org/sucssite/sucs-site/-/compare/7701a44783caaa5c6267144fd06747ffc7f4de17...6d8b6ea7192efa308646c1b7a6bec38ba2a4ad7f
--
View it on GitLab: https://projects.sucs.org/sucssite/sucs-site/-/compare/7701a44783caaa5c6267144fd06747ffc7f4de17...6d8b6ea7192efa308646c1b7a6bec38ba2a4ad7f
You're receiving this email because of your account on projects.sucs.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sucs.org/pipermail/devel/attachments/20230504/5291ee52/attachment-0001.html>
More information about the Devel
mailing list