Added group and user sanitation

Ignore-this: 26392125523d2c822580346074330ebe

darcs-hash:20091113102249-7ad00-4cede040a940d739bd34d548e12956e8d8609cfa.gz

3 files changed, 64 insertions, 7 deletions

diff --git a/inc/auth.php b/inc/auth.php
index 7dd7eb557..6157ac892 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -74,6 +74,9 @@ if($conf['useacl']){
             $_REQUEST['http_credentials'] = true;
         }
 
+        // apply cleaning
+        $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']);
+
         if(isset($_REQUEST['authtok'])){
             // when an authentication token is given, trust the session
             auth_validateToken($_REQUEST['authtok']);
@@ -90,13 +93,10 @@ if($conf['useacl']){
             $evt = new Doku_Event('AUTH_LOGIN_CHECK',$evdata);
             if($evt->advise_before()){
                 auth_login($evdata['user'],
-                        $evdata['password'],
-                        $evdata['sticky'],
-                        $evdata['silent']);
+                           $evdata['password'],
+                           $evdata['sticky'],
+                           $evdata['silent']);
             }
-            $evt->advise_after();
-            unset($evt);
-            unset($evdata);
         }
     }
 
@@ -104,6 +104,7 @@ if($conf['useacl']){
     global $AUTH_ACL;
     if(is_readable(DOKU_CONF.'acl.auth.php')){
         $AUTH_ACL = file(DOKU_CONF.'acl.auth.php');
+        //support user wildcard
         if(isset($_SERVER['REMOTE_USER'])){
             $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL);
             $AUTH_ACL = str_replace('@USER@',$_SERVER['REMOTE_USER'],$AUTH_ACL); //legacy
diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php
index 5af70a47a..a1f77dea5 100644
--- a/inc/auth/basic.class.php
+++ b/inc/auth/basic.class.php
@@ -128,7 +128,7 @@ class auth_basic {
    * only be needed when trustExternal is implemented.
    *
    * @see     auth_logoff()
-   * @author  Andreas Gohr
+   * @author  Andreas Gohr <andi@splitbrain.org>
    */
   function logOff(){
   }
@@ -322,6 +322,46 @@ class auth_basic {
     return array();
   }
 
+  /**
+   * Sanitize a given username [OPTIONAL]
+   *
+   * This function is applied to any user name that is given to
+   * the backend and should also be applied to any user name within
+   * the backend before returning it somewhere.
+   *
+   * This should be used to enforce username restrictions. Eg. when
+   * the backend is case insensitive all usernames should be lowercased
+   * here.
+   *
+   * @author Andreas Gohr <andi@splitbrain.org>
+   * @param string $user - username
+   * @param string - the cleaned username
+   */
+  function cleanUser($user){
+    return $user;
+  }
+
+  /**
+   * Sanitize a given groupname [OPTIONAL]
+   *
+   * This function is applied to any groupname that is given to
+   * the backend and should also be applied to any groupname within
+   * the backend before returning it somewhere.
+   *
+   * This should be used to enforce groupname restrictions. Eg. when
+   * the backend is case insensitive all groupames should be lowercased
+   * here.
+   *
+   * Groupnames are to be passed without a leading '@' here.
+   *
+   * @author Andreas Gohr <andi@splitbrain.org>
+   * @param string $group - groupname
+   * @param string - the cleaned groupname
+   */
+  function cleanGroup($group){
+    return $group;
+  }
+
 
   /**
    * Check Session Cache validity [implement only where required/possible]
diff --git a/inc/auth/plain.class.php b/inc/auth/plain.class.php
index 68976287a..0ff18d58a 100644
--- a/inc/auth/plain.class.php
+++ b/inc/auth/plain.class.php
@@ -261,6 +261,22 @@ class auth_plain extends auth_basic {
     }
 
     /**
+     * Only valid pageid's (no namespaces) for usernames
+     */
+    function cleanUser($user){
+        global $conf;
+        return cleanID(str_replace(':',$conf['sepchar'],$user));
+    }
+
+    /**
+     * Only valid pageid's (no namespaces) for groupnames
+     */
+    function cleanGroup($user){
+        global $conf;
+        return cleanID(str_replace(':',$conf['sepchar'],$group));
+    }
+
+    /**
      * Load all user data
      *
      * loads the user file into a datastructure