authplain: Escape ':' in any data field as '\:'

':' is the field delimiter in the authplain flat text
conf/users.auth.php file, but it's also used as an internal delimiter
for the 'mediawiki' password hash format. Currently using this hash
format corrupts the file

This change escapes ':' as '\:' in any field in the users.auth.php
file, and any '\' as '\\'.

Also adds test cases for escaping modes.

2 files changed, 110 insertions, 5 deletions

diff --git a/lib/plugins/authplain/_test/escaping.test.php b/lib/plugins/authplain/_test/escaping.test.php
new file mode 100644
index 000000000..cd5294157
--- /dev/null
+++ b/lib/plugins/authplain/_test/escaping.test.php
@@ -0,0 +1,82 @@
+<?php
+
+/**
+ * These tests are designed to test the capacity of pluginauth to handle
+ * correct escaping of colon field delimiters and backslashes in user content.
+ *
+ * (Note that these tests set some Real Names, etc. that are may not be
+ * valid in the broader dokuwiki context, but the tests ensure that
+ * authplain won't get unexpectedly surprised.)
+ *
+ * @group plugin_authplain
+ * @group plugins
+ */
+class helper_plugin_authplain_escaping_test extends DokuWikiTest {
+ 
+    protected $pluginsEnabled = array('authplain');
+    protected $auth;
+ 
+    protected function reloadUsers() {
+        /* auth caches data loaded from file, but recreated object forces reload */
+        $this->auth = new auth_plugin_authplain();
+    }
+
+    function setUp() {
+        global $config_cascade;
+        parent::setUp();
+        $name = $config_cascade['plainauth.users']['default'];
+        copy($name, $name.".orig");
+        $this->reloadUsers();
+    }
+
+    function tearDown() {
+        global $config_cascade;
+        parent::tearDown();
+        $name = $config_cascade['plainauth.users']['default'];
+        copy($name.".orig", $name);
+    }
+
+    public function testMediawikiPasswordHash() {
+        global $conf;
+        $conf['passcrypt'] = 'mediawiki';
+        $this->auth->createUser("mwuser", "12345", "Mediawiki User", "me@example.com");
+        $this->reloadUsers();
+        $this->assertTrue($this->auth->checkPass("mwuser", "12345"));
+        $mwuser = $this->auth->getUserData("mwuser");
+        $this->assertStringStartsWith(":B:",$mwuser['pass']);
+        $this->assertEquals("Mediawiki User",$mwuser['name']);
+    }
+
+    public function testNameWithColons() {
+        $name = ":Colon: User:";
+        $this->auth->createUser("colonuser", "password", $name, "me@example.com");
+        $this->reloadUsers();
+        $user = $this->auth->getUserData("colonuser");
+        $this->assertEquals($name,$user['name']);
+    }
+
+    public function testNameWithBackslashes() {
+        $name = "\\Slash\\ User\\";
+        $this->auth->createUser("slashuser", "password", $name, "me@example.com");
+        $this->reloadUsers();
+        $user = $this->auth->getUserData("slashuser");
+        $this->assertEquals($name,$user['name']);
+    }
+
+    public function testModifyUser() {
+        global $conf;
+        $conf['passcrypt'] = 'mediawiki';
+        $user = $this->auth->getUserData("testuser");
+        $user['name'] = "\\New:Crazy:Name\\";
+        $user['pass'] = "awesome new password";
+        $this->auth->modifyUser("testuser", $user);
+        $this->reloadUsers();
+
+        $saved = $this->auth->getUserData("testuser");
+        $this->assertEquals($saved['name'], $user['name']);
+        $this->assertTrue($this->auth->checkPass("testuser", $user['pass']));
+    }
+    
+}
+
+?>
\ No newline at end of file
diff --git a/lib/plugins/authplain/auth.php b/lib/plugins/authplain/auth.php
index 8c4ce0dd9..e53f56667 100644
--- a/lib/plugins/authplain/auth.php
+++ b/lib/plugins/authplain/auth.php
@@ -84,6 +84,27 @@ class auth_plugin_authplain extends DokuWiki_Auth_Plugin {
     }
 
     /**
+     * Creates a string suitable for saving as a line
+     * in the file database
+     * (delimiters escaped, etc.)
+     *
+     * @param string $user
+     * @param string $pass
+     * @param string $name
+     * @param string $mail
+     * @param array  $grps list of groups the user is in
+     * @return string
+     */
+    protected function _createUserLine($user, $pass, $name, $mail, $grps) {
+        $groups   = join(',', $grps);
+        $userline = array($user, $pass, $name, $mail, $groups);
+        $userline = str_replace('\\', '\\\\', $userline); // escape \ as \\
+        $userline = str_replace(':', '\\:', $userline); // escape : as \:
+        $userline = join(':', $userline)."\n";
+        return $userline;
+    }
+
+    /**
      * Create a new User
      *
      * Returns false if the user already exists, null when an error
@@ -115,8 +136,7 @@ class auth_plugin_authplain extends DokuWiki_Auth_Plugin {
         if(!is_array($grps)) $grps = array($conf['defaultgroup']);
 
         // prepare user line
-        $groups   = join(',', $grps);
-        $userline = join(':', array($user, $pass, $name, $mail, $groups))."\n";
+        $userline = $this->_createUserLine($user, $pass, $name, $mail, $grps);
 
         if(io_saveFile($config_cascade['plainauth.users']['default'], $userline, true)) {
             $this->users[$user] = compact('pass', 'name', 'mail', 'grps');
@@ -157,8 +177,7 @@ class auth_plugin_authplain extends DokuWiki_Auth_Plugin {
             $userinfo[$field] = $value;
         }
 
-        $groups   = join(',', $userinfo['grps']);
-        $userline = join(':', array($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $groups))."\n";
+        $userline = $this->_createUserLine($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $userinfo['grps']);
 
         if(!$this->deleteUsers(array($user))) {
             msg('Unable to modify user data. Please inform the Wiki-Admin', -1);
@@ -308,7 +327,11 @@ class auth_plugin_authplain extends DokuWiki_Auth_Plugin {
             $line = trim($line);
             if(empty($line)) continue;
 
-            $row    = explode(":", $line, 5);
+            /* NB: preg_split can be deprecated/replaced with str_getcsv once dokuwiki is min php 5.3 */
+            $row = preg_split('/(?<![^\\\\]\\\\)\:/', $line, 5); // allow for : escaped as \:
+            $row = str_replace('\\:', ':', $row);
+            $row = str_replace('\\\\', '\\', $row);
+
             $groups = array_values(array_filter(explode(",", $row[4])));
 
             $this->users[$row[0]]['pass'] = $row[1];