Merge remote-tracking branch 'splitbrain/master'

author: Gerry Weißbach <gerry.w@gammaproduction.de> 2014-12-22 10:31:30 +0100
committer: Gerry Weißbach <gerry.w@gammaproduction.de> 2014-12-22 10:31:30 +0100
commit: 8da2ebf4f4261eb8f54df5704b5d9af283b5402d (patch)
tree: 9c63975e3898c949e1784e30e81a5ed3da7fca93 /inc/auth.php
parent: 5e7f4d50cbbc788c9c0483a0a2ff1b536e4ffe8c (diff)
parent: 1bf4abb07f65e28578bae98aad457cb768d8b44f (diff)
download: rpg-8da2ebf4f4261eb8f54df5704b5d9af283b5402d.tar.gz
rpg-8da2ebf4f4261eb8f54df5704b5d9af283b5402d.tar.bz2
1 files changed, 33 insertions, 12 deletions
diff --git a/inc/auth.php b/inc/auth.php
index e224b2fb5..d51534e67 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
@@ -126,6 +127,7 @@ function auth_setup() {
  * Loads the ACL setup and handle user wildcards
  *
  * @author Andreas Gohr <andi@splitbrain.org>
+ *
  * @return array
  */
 function auth_loadACL() {
@@ -172,7 +174,7 @@ function auth_loadACL() {
 /**
  * Event hook callback for AUTH_LOGIN_CHECK
  *
- * @param $evdata
+ * @param array $evdata
  * @return bool
  */
 function auth_login_wrapper($evdata) {
@@ -228,7 +230,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
@@ -279,8 +281,9 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
  * token is correct. Will exit with a 401 Status if not.
  *
  * @author Andreas Gohr <andi@splitbrain.org>
+ *
  * @param  string $token The authentication token
- * @return boolean true (or will exit on failure)
+ * @return boolean|null true (or will exit on failure)
  */
 function auth_validateToken($token) {
     if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']) {
@@ -306,6 +309,7 @@ function auth_validateToken($token) {
  * NOTE: this is completely unrelated to the getSecurityToken() function
  *
  * @author Andreas Gohr <andi@splitbrain.org>
+ *
  * @return string The auth token
  */
 function auth_createToken() {
@@ -334,7 +338,6 @@ function auth_browseruid() {
     $ip  = clientIP(true);
     $uid = '';
     $uid .= $INPUT->server->str('HTTP_USER_AGENT');
-    $uid .= $INPUT->server->str('HTTP_ACCEPT_ENCODING');
     $uid .= $INPUT->server->str('HTTP_ACCEPT_CHARSET');
     $uid .= substr($ip, 0, strpos($ip, '.'));
     $uid = strtolower($uid);
@@ -350,6 +353,7 @@ function auth_browseruid() {
  * and stored in this file.
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @param   bool $addsession if true, the sessionid is added to the salt
  * @param   bool $secure     if security is more important than keeping the old value
  * @return  string
@@ -377,6 +381,7 @@ function auth_cookiesalt($addsession = false, $secure = false) {
  * @author Mark Seecof
  * @author Michael Hamann <michael@content-space.de>
  * @link   http://www.php.net/manual/de/function.mt-rand.php#83655
+ *
  * @param int $length number of bytes to get
  * @return string binary random strings
  */
@@ -443,6 +448,7 @@ function auth_randombytes($length) {
  *
  * @author Michael Samuel
  * @author Michael Hamann <michael@content-space.de>
+ *
  * @param int $min
  * @param int $max
  * @return int
@@ -514,6 +520,7 @@ function auth_decrypt($ciphertext, $secret) {
  * off. It also clears session data.
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @param bool $keepbc - when true, the breadcrumb data is not cleared
  */
 function auth_logoff($keepbc = false) {
@@ -554,6 +561,7 @@ function auth_logoff($keepbc = false) {
  *
  * @author Andreas Gohr <andi@splitbrain.org>
  * @see    auth_isadmin
+ *
  * @param  string $user       Username
  * @param  array  $groups     List of groups the user is in
  * @param  bool   $adminonly  when true checks if user is admin
@@ -598,6 +606,7 @@ function auth_ismanager($user = null, $groups = null, $adminonly = false) {
  *
  * @author Andreas Gohr <andi@splitbrain.org>
  * @see auth_ismanager()
+ *
  * @param  string $user       Username
  * @param  array  $groups     List of groups the user is in
  * @return bool
@@ -612,9 +621,9 @@ function auth_isadmin($user = null, $groups = null) {
  *
  * Note: all input should NOT be nameencoded.
  *
- * @param $memberlist string commaseparated list of allowed users and groups
- * @param $user       string user to match against
- * @param $groups     array  groups the user is member of
+ * @param string $memberlist commaseparated list of allowed users and groups
+ * @param string $user       user to match against
+ * @param array  $groups     groups the user is member of
  * @return bool       true for membership acknowledged
  */
 function auth_isMember($memberlist, $user, array $groups) {
@@ -638,6 +647,7 @@ function auth_isMember($memberlist, $user, array $groups) {
 
     // compare cleaned values
     foreach($members as $member) {
+        if($member == '@ALL' ) return true;
         if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member);
         if($member[0] == '@') {
             $member = $auth->cleanGroup(substr($member, 1));
@@ -676,6 +686,7 @@ function auth_quickaclcheck($id) {
  * Returns the maximum rights a user has for the given ID or its namespace
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @triggers AUTH_ACL_CHECK
  * @param  string       $id     page ID (needs to be resolved and cleaned)
  * @param  string       $user   Username
@@ -698,6 +709,7 @@ function auth_aclcheck($id, $user, $groups) {
  * DO NOT CALL DIRECTLY, use auth_aclcheck() instead
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @param  array $data event data
  * @return int   permission level
  */
@@ -830,6 +842,10 @@ function auth_aclcheck_cb($data) {
  *
  * @author Andreas Gohr <gohr@cosmocode.de>
  * @see rawurldecode()
+ *
+ * @param string $name
+ * @param bool $skip_group
+ * @return string
  */
 function auth_nameencode($name, $skip_group = false) {
     global $cache_authname;
@@ -911,6 +927,7 @@ function auth_pwgen($foruser = '') {
  * Sends a password to the given user
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @param string $user Login name of the user
  * @param string $password The new password in clear text
  * @return bool  true on success
@@ -922,7 +939,7 @@ function auth_sendPassword($user, $password) {
     if(!$auth) return false;
 
     $user     = $auth->cleanUser($user);
-    $userinfo = $auth->getUserData($user);
+    $userinfo = $auth->getUserData($user, $requireGroups = false);
 
     if(!$userinfo['mail']) return false;
 
@@ -946,6 +963,7 @@ function auth_sendPassword($user, $password) {
  * This registers a new user - Data is read directly from $_POST
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @return bool  true on success, false on any error
  */
 function register() {
@@ -1127,6 +1145,7 @@ function auth_deleteprofile(){
         }
     }
 
+    $deleted = array();
     $deleted[] = $INPUT->server->str('REMOTE_USER');
     if($auth->triggerUserMod('delete', array($deleted))) {
         // force and immediate logout including removing the sticky cookie
@@ -1184,7 +1203,7 @@ function act_resendpwd() {
         }
 
         $user     = io_readfile($tfile);
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
@@ -1236,7 +1255,7 @@ function act_resendpwd() {
             $user = trim($auth->cleanUser($INPUT->post->str('login')));
         }
 
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
@@ -1277,6 +1296,7 @@ function act_resendpwd() {
  * is chosen.
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
+ *
  * @param string $clear The clear text password
  * @param string $method The hashing method
  * @param string $salt A salt, null for random
@@ -1301,6 +1321,7 @@ function auth_cryptPassword($clear, $method = '', $salt = null) {
  * Verifies a cleartext password against a crypted hash
  *
  * @author Andreas Gohr <andi@splitbrain.org>
+ *
  * @param  string $clear The clear text password
  * @param  string $crypt The hash to compare with
  * @return bool true if both match
author	Gerry Weißbach <gerry.w@gammaproduction.de>	2014-12-22 10:31:30 +0100
committer	Gerry Weißbach <gerry.w@gammaproduction.de>	2014-12-22 10:31:30 +0100
commit	8da2ebf4f4261eb8f54df5704b5d9af283b5402d (patch)
tree	9c63975e3898c949e1784e30e81a5ed3da7fca93 /inc/auth.php
parent	5e7f4d50cbbc788c9c0483a0a2ff1b536e4ffe8c (diff)
parent	1bf4abb07f65e28578bae98aad457cb768d8b44f (diff)
download	rpg-8da2ebf4f4261eb8f54df5704b5d9af283b5402d.tar.gz rpg-8da2ebf4f4261eb8f54df5704b5d9af283b5402d.tar.bz2