fix returning unsanitized user-input

This commit is contained in:
ralf 2023-06-16 09:38:19 +02:00
parent f8ef7d5fe7
commit b234c4967b
3 changed files with 43 additions and 14 deletions

View File

@ -0,0 +1,26 @@
<?php
/**
* EGroupware API - Authentication Required Exceptions
*
* @link https://www.egroupware.org
* @author Ralf Becker <rb@egroupware.org>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @package api
* @subpackage exception
* @access public
*/
namespace EGroupware\Api\Exception\NoPermission;
use EGroupware\Api\Exception\NoPermission;
/**
* User is not authenticated
*/
class AuthenticationRequired extends NoPermission
{
function __construct($msg=null, $code=401)
{
parent::__construct($msg,$code);
}
}

View File

@ -53,7 +53,11 @@ function try_lang($key,$vars=null)
function _egw_log_exception($e,&$headline=null)
{
$trace = explode("\n", $e->getTraceAsString());
if ($e instanceof Api\Exception\NoPermission)
if ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
{
$headline = try_lang('Unauthorized: Authentication required!');
}
elseif ($e instanceof Api\Exception\NoPermission)
{
$headline = try_lang('Permission denied!');
}
@ -105,6 +109,14 @@ function egw_exception_handler($e)
{
Api\Egw::redirect($e->url, $e->app);
}
elseif ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
{
header('WWW-Authenticate: Basic realm="'.$GLOBALS['egw_info']['flags']['auth_realm'] ?? 'EGroupware'.'"');
http_response_code(401);
echo "<html>\n<head>\n<title>401 Unauthorized</title>\n<body>\nAuthorization failed.\n</body>\n</html>\n";
_egw_log_exception($e);
exit;
}
// logging all exceptions to the error_log (if not cli) and get headline
$headline = null;
_egw_log_exception($e,$headline);

View File

@ -25,6 +25,7 @@ $GLOBALS['egw_info'] = array(
'currentapp' => 'calendar',
'noheader' => True,
'nofooter' => True,
'no_exception_handler' => 'basic_auth', // we use a basic auth exception handler (sends exception message as basic auth realm)
),
);
// check if we are already logged in
@ -45,16 +46,6 @@ if (!($logged_in = !empty(Api\Session::get_sessionid())))
}
include ('../header.inc.php');
function fail_exit($msg)
{
echo "<html>\n<head>\n<title>$msg</title>\n<meta http-equiv=\"content-type\" content=\"text/html; charset=".
Api\Translation::charset()."\" />\n</head>\n<body><h1>$msg</h1>\n</body>\n</html>\n";
header('WWW-Authenticate: Basic realm="'.($GLOBALS['egw_info']['flags']['auth_realm'] ?: 'EGroupware').'"');
http_response_code(401);
exit;
}
if (!$logged_in)
{
include ('../api/src/loader.php');
@ -84,7 +75,7 @@ elseif (isset($_GET['email']))
}
if ($user === false || !($username = $GLOBALS['egw']->accounts->id2name($user)))
{
fail_exit(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)",$_GET['user']));
throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)", $_GET['user']));
}
if (!$logged_in)
{
@ -126,7 +117,7 @@ if (!$logged_in)
}
if (!$logged_in)
{
fail_exit(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
}
}
if ($_GET['debug'])