From 48289a5fdda5c4d72711c2dd2b224568cc7be2bf Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Wed, 20 Jun 2007 06:55:59 +0000 Subject: [PATCH] - fixed handling of passwords with special chars - made handling of empty passwords more obvious - fixed primary group to use negative group-id - patch 889: support other apache mod_auth_* --- login.php | 9 +++++++-- phpgwapi/inc/class.auth_ldap.inc.php | 21 ++++++--------------- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/login.php b/login.php index b5c2f91398..3b405771ba 100755 --- a/login.php +++ b/login.php @@ -84,6 +84,11 @@ /* Program starts here */ + // some apache mod_auth_* modules use REMOTE_USER instead of PHP_AUTH_USER, thanks to Sylvain Beucler + if ($GLOBALS['egw_info']['server']['auth_type'] == 'http' && !isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['REMOTE_USER'])) + { + $_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER']; + } if($GLOBALS['egw_info']['server']['auth_type'] == 'http' && isset($_SERVER['PHP_AUTH_USER'])) { $submit = True; @@ -93,12 +98,12 @@ } else { - $passwd = $_POST['passwd']; + $passwd = get_magic_quotes_gpc() ? stripslashes($_POST['passwd']) : $_POST['passwd']; $passwd_type = $_POST['passwd_type']; if($GLOBALS['egw_info']['server']['allow_cookie_auth']) { - $eGW_remember = explode('::::',stripslashes($_COOKIE['eGW_remember'])); + $eGW_remember = explode('::::',get_magic_quotes_gpc() ? stripslashes($_COOKIE['eGW_remember']) : $_COOKIE['eGW_remember']); if($eGW_remember[0] && $eGW_remember[1] && $eGW_remember[2]) { diff --git a/phpgwapi/inc/class.auth_ldap.inc.php b/phpgwapi/inc/class.auth_ldap.inc.php index 50be22c449..0dfdbba7dd 100644 --- a/phpgwapi/inc/class.auth_ldap.inc.php +++ b/phpgwapi/inc/class.auth_ldap.inc.php @@ -38,10 +38,6 @@ */ function authenticate($username, $passwd) { - if (ereg('[()|&=*,<>!~]',$username)) - { - return False; - } // allow non-ascii in username & password $username = $GLOBALS['egw']->translation->convert($username,$GLOBALS['egw']->translation->charset(),'utf-8'); $passwd = $GLOBALS['egw']->translation->convert($passwd,$GLOBALS['egw']->translation->charset(),'utf-8'); @@ -62,7 +58,7 @@ $attributes = array('uid','dn','givenName','sn','mail','uidNumber','gidNumber','shadowExpire'); $filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)'; - $filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter); + $filter = str_replace(array('%user','%domain'),array(ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),$filter); if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap') { @@ -84,16 +80,10 @@ return false; // account is expired } $userDN = $allValues[0]['dn']; - /* - generate a bogus password to pass if the user doesn't give us one - this gets around systems that are anonymous search enabled - */ - if (empty($passwd)) - { - $passwd = crypt(microtime()); - } + // try to bind as the user with user suplied password - if (@ldap_bind($ldap, $userDN, $passwd)) + // only if a non-empty password given, in case anonymous search is enabled + if (!empty($passwd) && @ldap_bind($ldap, $userDN, $passwd)) { if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap') { @@ -106,12 +96,13 @@ 'sn' => 'lastname', 'uidnumber' => 'account_id', 'mail' => 'email', - 'gidnumber' => 'primary_group', ) as $ldap_name => $acct_name) { $GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); } + // our group-ids are negative + $GLOBALS['auto_create_acct']['primary_group'] = -$allValues[0]['gidnumber'][0]; return True; } return ($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')) &&