mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-11 08:28:43 +01:00
* Login: catch all exceptions in session creation, to NOT log user passwords, in case of (eg. database-)errors
This commit is contained in:
parent
3cc740d35e
commit
95553f514c
@ -40,6 +40,8 @@ class egw_session
|
|||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Write debug messages about session verification and creation to the error_log
|
* Write debug messages about session verification and creation to the error_log
|
||||||
|
*
|
||||||
|
* This will contain passwords! Don't leave it permanently switched on!
|
||||||
*/
|
*/
|
||||||
const ERROR_LOG_DEBUG = false;
|
const ERROR_LOG_DEBUG = false;
|
||||||
|
|
||||||
@ -441,10 +443,11 @@ class egw_session
|
|||||||
* @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support
|
* @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support
|
||||||
* @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true
|
* @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true
|
||||||
* @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested
|
* @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested
|
||||||
* @return string session id
|
* @return string|boolean session id or false if session was not created, $this->(cd_)reason contains cause
|
||||||
*/
|
*/
|
||||||
function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false)
|
function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false)
|
||||||
{
|
{
|
||||||
|
try {
|
||||||
if (is_array($login))
|
if (is_array($login))
|
||||||
{
|
{
|
||||||
$this->login = $login['login'];
|
$this->login = $login['login'];
|
||||||
@ -482,21 +485,6 @@ class egw_session
|
|||||||
elseif($this->account_domain != $GLOBALS['egw_info']['user']['domain'])
|
elseif($this->account_domain != $GLOBALS['egw_info']['user']['domain'])
|
||||||
{
|
{
|
||||||
throw new Exception("Wrong domain! '$this->account_domain' != '{$GLOBALS['egw_info']['user']['domain']}'");
|
throw new Exception("Wrong domain! '$this->account_domain' != '{$GLOBALS['egw_info']['user']['domain']}'");
|
||||||
/* $GLOBALS['egw']->ADOdb = null;
|
|
||||||
$GLOBALS['egw_info']['user']['domain'] = $this->account_domain;
|
|
||||||
// reset the db and all other (non-header!) egw_info/server data
|
|
||||||
$GLOBALS['egw_info']['server'] = array(
|
|
||||||
'sessions_type' => $GLOBALS['egw_info']['server']['sessions_type'],
|
|
||||||
'default_domain' => $GLOBALS['egw_info']['server']['default_domain'],
|
|
||||||
);
|
|
||||||
$GLOBALS['egw_info']['server']['db_host'] = $GLOBALS['egw_domain'][$this->account_domain]['db_host'];
|
|
||||||
$GLOBALS['egw_info']['server']['db_port'] = $GLOBALS['egw_domain'][$this->account_domain]['db_port'];
|
|
||||||
$GLOBALS['egw_info']['server']['db_name'] = $GLOBALS['egw_domain'][$this->account_domain]['db_name'];
|
|
||||||
$GLOBALS['egw_info']['server']['db_user'] = $GLOBALS['egw_domain'][$this->account_domain]['db_user'];
|
|
||||||
$GLOBALS['egw_info']['server']['db_pass'] = $GLOBALS['egw_domain'][$this->account_domain]['db_pass'];
|
|
||||||
$GLOBALS['egw_info']['server']['db_type'] = $GLOBALS['egw_domain'][$this->account_domain]['db_type'];
|
|
||||||
$GLOBALS['egw']->setup('',false);
|
|
||||||
*/
|
|
||||||
}
|
}
|
||||||
unset($GLOBALS['egw_info']['server']['default_domain']); // we kill this for security reasons
|
unset($GLOBALS['egw_info']['server']['default_domain']); // we kill this for security reasons
|
||||||
|
|
||||||
@ -632,6 +620,17 @@ class egw_session
|
|||||||
|
|
||||||
return $this->sessionid;
|
return $this->sessionid;
|
||||||
}
|
}
|
||||||
|
// catch all exceptions, as their (allways logged) trace (eg. on a database error) would contain the user password
|
||||||
|
catch(Exception $e) {
|
||||||
|
$this->reason = $this->cd_reason = $e->getMessage();
|
||||||
|
error_log(__METHOD__."('$login', ".array2string(str_repeat('*', strlen($passwd))).
|
||||||
|
", '$passwd_type', no_session=".array2string($no_session).
|
||||||
|
", auth_check=".array2string($auth_check).
|
||||||
|
", fail_on_forced_password_change=".array2string($fail_on_forced_password_change).
|
||||||
|
") Exception ".$e->getMessage());
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Store eGW specific session-vars
|
* Store eGW specific session-vars
|
||||||
|
Loading…
Reference in New Issue
Block a user