You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2011/10/25 19:16:01 UTC
svn commit: r1188806 - in /incubator/vcl/trunk/web/.ht-inc:
authentication.php authmethods/ldapauth.php
Author: jfthomps
Date: Tue Oct 25 17:16:00 2011
New Revision: 1188806
URL: http://svn.apache.org/viewvc?rev=1188806&view=rev
Log:
VCL-486
Measures against cross site scripting on the Login form
applied code from diff in JIRA issue
authentication.php:
-modified printLoginPage - unset $_GET['userid'] if it is set so that a userid cannot be submitted via a normal href link; added call to stripslashes for $userid if magic quotes is enabled to allow single quotes in user names and added htmlspecialchars for $userid to prevent XSS attacks
-modified submitLogin - unset $_GET['userid'] if it is set so that a userid cannot be submitted via a normal href link; added call to stripslashes for $userid if magic quotes is enabled to allow single quotes in user names
-modified ldapLogin, validateLocalAccount - added $esc_userid that is $userid escaped with mysql_real_escape_string to prevent SQL injection attacks
-modified validateLocalAccount - added mysql_real_escape_string to $user to prevent SQL injection attacks
-modified -addLoginLog - added mysql_real_escape_string to $user and $mech to prevent SQL injection attacks
ldapauth.php:
-modified addLDAPUser - added mysql_real_escape_string to $loweruserid to prevent SQL injection attacks
-modified updateLDAPUser - added $esc_userid that is $userid escaped with mysql_real_escape_string to prevent SQL injection attacks
Modified:
incubator/vcl/trunk/web/.ht-inc/authentication.php
incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Tue Oct 25 17:16:00 2011
@@ -233,6 +233,8 @@ function printLoginPage($servertimeout=0
$authtype = getContinuationVar("authtype", processInputVar("authtype", ARG_STRING));
if($authtype == '' && array_key_exists('VCLAUTHSEL', $_COOKIE))
$authtype = $_COOKIE['VCLAUTHSEL'];
+ if(isset($_GET['userid']))
+ unset($_GET['userid']);
$userid = processInputVar('userid', ARG_STRING, '');
if($userid == 'Proceed to Login')
$userid = '';
@@ -241,6 +243,9 @@ function printLoginPage($servertimeout=0
dbDisconnect();
exit;
}
+ if(get_magic_quotes_gpc())
+ $userid = stripslashes($userid);
+ $userid = htmlspecialchars($userid);
$extrafailedmsg = '';
if($servertimeout)
$extrafailedmsg = " (unable to connect to authentication server)";
@@ -326,14 +331,18 @@ function submitLogin() {
dbDisconnect();
exit;
}
+ if(isset($_GET['userid']))
+ unset($_GET['userid']);
$userid = processInputVar('userid', ARG_STRING, '');
$passwd = $_POST['password'];
if(empty($userid) || empty($passwd)) {
selectAuth();
return;
}
- if(get_magic_quotes_gpc())
+ if(get_magic_quotes_gpc()) {
+ $userid = stripslashes($userid);
$passwd = stripslashes($passwd);
+ }
if($authMechs[$authtype]['type'] == 'ldap')
ldapLogin($authtype, $userid, $passwd);
elseif($authMechs[$authtype]['type'] == 'local')
@@ -356,6 +365,7 @@ function submitLogin() {
////////////////////////////////////////////////////////////////////////////////
function ldapLogin($authtype, $userid, $passwd) {
global $HTMLheader, $printedHTMLheader, $authMechs, $phpVer;
+ $esc_userid = mysql_real_escape_string($userid);
if(! $fh = fsockopen($authMechs[$authtype]['server'], 636, $errno, $errstr, 5)) {
printLoginPageWithSkin($authtype, 1);
return;
@@ -443,7 +453,7 @@ function ldapLogin($authtype, $userid, $
// see if user in our db
$query = "SELECT id "
. "FROM user "
- . "WHERE unityid = '$userid' AND "
+ . "WHERE unityid = '$esc_userid' AND "
. "affiliationid = {$authMechs[$authtype]['affiliationid']}";
$qh = doQuery($query, 101);
if(! mysql_num_rows($qh)) {
@@ -522,6 +532,7 @@ function localLogin($userid, $passwd) {
///
////////////////////////////////////////////////////////////////////////////////
function validateLocalAccount($user, $pass) {
+ $user = mysql_real_escape_string($user);
$query = "SELECT l.salt "
. "FROM localauth l, "
. "user u, "
@@ -565,6 +576,8 @@ function validateLocalAccount($user, $pa
///
////////////////////////////////////////////////////////////////////////////////
function addLoginLog($login, $mech, $affiliationid, $passfail) {
+ $login = mysql_real_escape_string($login);
+ $mech = mysql_real_escape_string($mech);
$query = "INSERT INTO loginlog "
. "(user, "
. "authmech, "
Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php Tue Oct 25 17:16:00 2011
@@ -40,6 +40,7 @@ function addLDAPUser($authtype, $userid)
return NULL;
$loweruserid = strtolower($userid);
+ $loweruserid = mysql_real_escape_string($loweruserid);
# check for existance of an expired user if a numericid exists
if(array_key_exists('numericid', $data)) {
@@ -164,6 +165,7 @@ function validateLDAPUser($type, $logini
////////////////////////////////////////////////////////////////////////////////
function updateLDAPUser($authtype, $userid) {
global $authMechs;
+ $esc_userid = mysql_real_escape_string($userid);
$userData = getLDAPUserData($authtype, $userid);
if(is_null($userData))
return NULL;
@@ -197,7 +199,7 @@ function updateLDAPUser($authtype, $user
is_numeric($userData['numericid']))
$query .= "u.uid = {$userData['numericid']}";
else {
- $query .= "u.unityid = '$userid' AND "
+ $query .= "u.unityid = '$esc_userid' AND "
. "u.affiliationid = $affilid";
}
$qh = doQuery($query, 255);
@@ -211,7 +213,7 @@ function updateLDAPUser($authtype, $user
$user["email"] = $userData["email"];
$user["lastupdated"] = $now;
$query = "UPDATE user "
- . "SET unityid = '$userid', "
+ . "SET unityid = '$esc_userid', "
. "firstname = '{$userData['first']}', "
. "lastname = '{$userData['last']}', "
. "email = '{$userData['email']}', "
@@ -220,7 +222,7 @@ function updateLDAPUser($authtype, $user
is_numeric($userData['numericid']))
$query .= "WHERE uid = {$userData['numericid']}";
else
- $query .= "WHERE unityid = '$userid' AND "
+ $query .= "WHERE unityid = '$esc_userid' AND "
. "affiliationid = $affilid";
doQuery($query, 256, 'vcl', 1);
}