clean user credentials from control chars

This is to prevent zero byte attacks on external auth systems as described in http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
author: Andreas Gohr <andi@splitbrain.org> 2014-09-23 20:17:49 +0200
committer: Andreas Gohr <andi@splitbrain.org> 2014-09-23 20:17:49 +0200
commit: 395c2f0ff3e87977ea2573587a11f4ef294433f2 (patch)
tree: f01bb2b4abecc074eb250c53f3bc5e95ad2eba4f /inc/auth.php
parent: 1ee9b48eeac0acdc23d10bc12e2efa22a01f9989 (diff)
download: rpg-395c2f0ff3e87977ea2573587a11f4ef294433f2.tar.gz
rpg-395c2f0ff3e87977ea2573587a11f4ef294433f2.tar.bz2
1 files changed, 3 insertions, 2 deletions
diff --git a/inc/auth.php b/inc/auth.php
index e224b2fb5..7477ae7ef 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
author	Andreas Gohr <andi@splitbrain.org>	2014-09-23 20:17:49 +0200
committer	Andreas Gohr <andi@splitbrain.org>	2014-09-23 20:17:49 +0200
commit	395c2f0ff3e87977ea2573587a11f4ef294433f2 (patch)
tree	f01bb2b4abecc074eb250c53f3bc5e95ad2eba4f /inc/auth.php
parent	1ee9b48eeac0acdc23d10bc12e2efa22a01f9989 (diff)
download	rpg-395c2f0ff3e87977ea2573587a11f4ef294433f2.tar.gz rpg-395c2f0ff3e87977ea2573587a11f4ef294433f2.tar.bz2