You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2011/10/25 19:16:01 UTC

svn commit: r1188806 - in /incubator/vcl/trunk/web/.ht-inc: authentication.php authmethods/ldapauth.php

Author: jfthomps
Date: Tue Oct 25 17:16:00 2011
New Revision: 1188806

URL: http://svn.apache.org/viewvc?rev=1188806&view=rev
Log:
VCL-486
Measures against cross site scripting on the Login form

applied code from diff in JIRA issue

authentication.php:
-modified printLoginPage - unset $_GET['userid'] if it is set so that a userid cannot be submitted via a normal href link; added call to stripslashes for $userid if magic quotes is enabled to allow single quotes in user names and added htmlspecialchars for $userid to prevent XSS attacks
-modified submitLogin - unset $_GET['userid'] if it is set so that a userid cannot be submitted via a normal href link; added call to stripslashes for $userid if magic quotes is enabled to allow single quotes in user names
-modified ldapLogin, validateLocalAccount - added $esc_userid that is $userid escaped with mysql_real_escape_string to prevent SQL injection attacks
-modified validateLocalAccount - added mysql_real_escape_string to $user to prevent SQL injection attacks
-modified -addLoginLog - added mysql_real_escape_string to $user and $mech to prevent SQL injection attacks

ldapauth.php:
-modified addLDAPUser - added mysql_real_escape_string to $loweruserid to prevent SQL injection attacks
-modified updateLDAPUser - added $esc_userid that is $userid escaped with mysql_real_escape_string to prevent SQL injection attacks

Modified:
    incubator/vcl/trunk/web/.ht-inc/authentication.php
    incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php

Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Tue Oct 25 17:16:00 2011
@@ -233,6 +233,8 @@ function printLoginPage($servertimeout=0
 	$authtype = getContinuationVar("authtype", processInputVar("authtype", ARG_STRING));
 	if($authtype == '' && array_key_exists('VCLAUTHSEL', $_COOKIE))
 		$authtype = $_COOKIE['VCLAUTHSEL'];
+	if(isset($_GET['userid']))
+		unset($_GET['userid']);
 	$userid = processInputVar('userid', ARG_STRING, '');
 	if($userid == 'Proceed to Login')
 		$userid = '';
@@ -241,6 +243,9 @@ function printLoginPage($servertimeout=0
 		dbDisconnect();
 		exit;
 	}
+	if(get_magic_quotes_gpc())
+		$userid = stripslashes($userid);
+	$userid = htmlspecialchars($userid);
 	$extrafailedmsg = '';
 	if($servertimeout)
 		$extrafailedmsg = " (unable to connect to authentication server)";
@@ -326,14 +331,18 @@ function submitLogin() {
 		dbDisconnect();
 		exit;
 	}
+	if(isset($_GET['userid']))
+		unset($_GET['userid']);
 	$userid = processInputVar('userid', ARG_STRING, '');
 	$passwd = $_POST['password'];
 	if(empty($userid) || empty($passwd)) {
 		selectAuth();
 		return;
 	}
-	if(get_magic_quotes_gpc())
+	if(get_magic_quotes_gpc()) {
+		$userid = stripslashes($userid);
 		$passwd = stripslashes($passwd);
+	}
 	if($authMechs[$authtype]['type'] == 'ldap')
 		ldapLogin($authtype, $userid, $passwd);
 	elseif($authMechs[$authtype]['type'] == 'local')
@@ -356,6 +365,7 @@ function submitLogin() {
 ////////////////////////////////////////////////////////////////////////////////
 function ldapLogin($authtype, $userid, $passwd) {
 	global $HTMLheader, $printedHTMLheader, $authMechs, $phpVer;
+	$esc_userid = mysql_real_escape_string($userid);
 	if(! $fh = fsockopen($authMechs[$authtype]['server'], 636, $errno, $errstr, 5)) {
 		printLoginPageWithSkin($authtype, 1);
 		return;
@@ -443,7 +453,7 @@ function ldapLogin($authtype, $userid, $
 		// see if user in our db
 		$query = "SELECT id "
 		       . "FROM user "
-		       . "WHERE unityid = '$userid' AND "
+		       . "WHERE unityid = '$esc_userid' AND "
 		       .       "affiliationid = {$authMechs[$authtype]['affiliationid']}";
 		$qh = doQuery($query, 101);
 		if(! mysql_num_rows($qh)) {
@@ -522,6 +532,7 @@ function localLogin($userid, $passwd) {
 ///
 ////////////////////////////////////////////////////////////////////////////////
 function validateLocalAccount($user, $pass) {
+	$user = mysql_real_escape_string($user);
 	$query = "SELECT l.salt "
 	       . "FROM localauth l, "
 	       .      "user u, "
@@ -565,6 +576,8 @@ function validateLocalAccount($user, $pa
 ///
 ////////////////////////////////////////////////////////////////////////////////
 function addLoginLog($login, $mech, $affiliationid, $passfail) {
+	$login = mysql_real_escape_string($login);
+	$mech = mysql_real_escape_string($mech);
 	$query = "INSERT INTO loginlog "
 	       .        "(user, "
 	       .        "authmech, "

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php Tue Oct 25 17:16:00 2011
@@ -40,6 +40,7 @@ function addLDAPUser($authtype, $userid)
 		return NULL;
 
 	$loweruserid = strtolower($userid);
+	$loweruserid = mysql_real_escape_string($loweruserid);
 
 	# check for existance of an expired user if a numericid exists
 	if(array_key_exists('numericid', $data)) {
@@ -164,6 +165,7 @@ function validateLDAPUser($type, $logini
 ////////////////////////////////////////////////////////////////////////////////
 function updateLDAPUser($authtype, $userid) {
 	global $authMechs;
+	$esc_userid = mysql_real_escape_string($userid);
 	$userData = getLDAPUserData($authtype, $userid);
 	if(is_null($userData))
 		return NULL;
@@ -197,7 +199,7 @@ function updateLDAPUser($authtype, $user
 	   is_numeric($userData['numericid']))
 		$query .=   "u.uid = {$userData['numericid']}";
 	else {
-		$query .=   "u.unityid = '$userid' AND "
+		$query .=   "u.unityid = '$esc_userid' AND "
 		       .    "u.affiliationid = $affilid";
 	}
 	$qh = doQuery($query, 255);
@@ -211,7 +213,7 @@ function updateLDAPUser($authtype, $user
 		$user["email"] = $userData["email"];
 		$user["lastupdated"] = $now;
 		$query = "UPDATE user "
-		       . "SET unityid = '$userid', "
+		       . "SET unityid = '$esc_userid', "
 		       .     "firstname = '{$userData['first']}', "
 		       .     "lastname = '{$userData['last']}', "
 		       .     "email = '{$userData['email']}', "
@@ -220,7 +222,7 @@ function updateLDAPUser($authtype, $user
 		   is_numeric($userData['numericid']))
 			$query .= "WHERE uid = {$userData['numericid']}";
 		else
-			$query .= "WHERE unityid = '$userid' AND "
+			$query .= "WHERE unityid = '$esc_userid' AND "
 			       .        "affiliationid = $affilid";
 		doQuery($query, 256, 'vcl', 1);
 	}