mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-27 18:33:39 +01:00
fix returning unsanitized user-input
This commit is contained in:
parent
f8ef7d5fe7
commit
b234c4967b
26
api/src/Exception/AuthenticationRequired/Admin.php
Normal file
26
api/src/Exception/AuthenticationRequired/Admin.php
Normal file
@ -0,0 +1,26 @@
|
||||
<?php
|
||||
/**
|
||||
* EGroupware API - Authentication Required Exceptions
|
||||
*
|
||||
* @link https://www.egroupware.org
|
||||
* @author Ralf Becker <rb@egroupware.org>
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @package api
|
||||
* @subpackage exception
|
||||
* @access public
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Exception\NoPermission;
|
||||
|
||||
use EGroupware\Api\Exception\NoPermission;
|
||||
|
||||
/**
|
||||
* User is not authenticated
|
||||
*/
|
||||
class AuthenticationRequired extends NoPermission
|
||||
{
|
||||
function __construct($msg=null, $code=401)
|
||||
{
|
||||
parent::__construct($msg,$code);
|
||||
}
|
||||
}
|
@ -53,7 +53,11 @@ function try_lang($key,$vars=null)
|
||||
function _egw_log_exception($e,&$headline=null)
|
||||
{
|
||||
$trace = explode("\n", $e->getTraceAsString());
|
||||
if ($e instanceof Api\Exception\NoPermission)
|
||||
if ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
|
||||
{
|
||||
$headline = try_lang('Unauthorized: Authentication required!');
|
||||
}
|
||||
elseif ($e instanceof Api\Exception\NoPermission)
|
||||
{
|
||||
$headline = try_lang('Permission denied!');
|
||||
}
|
||||
@ -105,6 +109,14 @@ function egw_exception_handler($e)
|
||||
{
|
||||
Api\Egw::redirect($e->url, $e->app);
|
||||
}
|
||||
elseif ($e instanceof Api\Exception\NoPermission\AuthenticationRequired)
|
||||
{
|
||||
header('WWW-Authenticate: Basic realm="'.$GLOBALS['egw_info']['flags']['auth_realm'] ?? 'EGroupware'.'"');
|
||||
http_response_code(401);
|
||||
echo "<html>\n<head>\n<title>401 Unauthorized</title>\n<body>\nAuthorization failed.\n</body>\n</html>\n";
|
||||
_egw_log_exception($e);
|
||||
exit;
|
||||
}
|
||||
// logging all exceptions to the error_log (if not cli) and get headline
|
||||
$headline = null;
|
||||
_egw_log_exception($e,$headline);
|
||||
|
@ -25,6 +25,7 @@ $GLOBALS['egw_info'] = array(
|
||||
'currentapp' => 'calendar',
|
||||
'noheader' => True,
|
||||
'nofooter' => True,
|
||||
'no_exception_handler' => 'basic_auth', // we use a basic auth exception handler (sends exception message as basic auth realm)
|
||||
),
|
||||
);
|
||||
// check if we are already logged in
|
||||
@ -45,16 +46,6 @@ if (!($logged_in = !empty(Api\Session::get_sessionid())))
|
||||
}
|
||||
include ('../header.inc.php');
|
||||
|
||||
function fail_exit($msg)
|
||||
{
|
||||
echo "<html>\n<head>\n<title>$msg</title>\n<meta http-equiv=\"content-type\" content=\"text/html; charset=".
|
||||
Api\Translation::charset()."\" />\n</head>\n<body><h1>$msg</h1>\n</body>\n</html>\n";
|
||||
|
||||
header('WWW-Authenticate: Basic realm="'.($GLOBALS['egw_info']['flags']['auth_realm'] ?: 'EGroupware').'"');
|
||||
http_response_code(401);
|
||||
exit;
|
||||
}
|
||||
|
||||
if (!$logged_in)
|
||||
{
|
||||
include ('../api/src/loader.php');
|
||||
@ -84,7 +75,7 @@ elseif (isset($_GET['email']))
|
||||
}
|
||||
if ($user === false || !($username = $GLOBALS['egw']->accounts->id2name($user)))
|
||||
{
|
||||
fail_exit(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)",$_GET['user']));
|
||||
throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', wrong password or not available to not logged in users !!!"." $username($user)", $_GET['user']));
|
||||
}
|
||||
if (!$logged_in)
|
||||
{
|
||||
@ -126,7 +117,7 @@ if (!$logged_in)
|
||||
}
|
||||
if (!$logged_in)
|
||||
{
|
||||
fail_exit(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
|
||||
throw new Api\Exception\NoPermission\AuthenticationRequired(lang("freebusy: unknown user '%1', or not available for unauthenticated users!", $_GET['user']));
|
||||
}
|
||||
}
|
||||
if ($_GET['debug'])
|
||||
|
Loading…
Reference in New Issue
Block a user