diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2009-11-14 13:35:17 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2009-11-14 13:35:17 +0100 |
| commit | d752aedee962294dd2bbc120557d6b6b79c970a9 (patch) | |
| tree | 58b78866250c0387aaf6876721f5665c13e7163a /inc/auth.php | |
| parent | 191bb90af90d4b063435ee55d67082e7453ed1fb (diff) | |
| download | rpg-d752aedee962294dd2bbc120557d6b6b79c970a9.tar.gz rpg-d752aedee962294dd2bbc120557d6b6b79c970a9.tar.bz2 | |
more work on user and group cleaning
Ignore-this: b824c2941d3631bdf83350e325606d3e
darcs-hash:20091114123517-7ad00-d32833a88cb5f654a8874542d4d59f1f401d4453.gz
Diffstat (limited to 'inc/auth.php')
| -rw-r--r-- | inc/auth.php | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/inc/auth.php b/inc/auth.php index 6157ac892..5995459fe 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -335,6 +335,7 @@ function auth_logoff($keepbc=false){ function auth_ismanager($user=null,$groups=null,$adminonly=false){ global $conf; global $USERINFO; + global $auth; if(!$conf['useacl']) return false; if(is_null($user)) { @@ -344,7 +345,9 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $user = $_SERVER['REMOTE_USER']; } } + $user = $auth->cleanUser($user); if(is_null($groups)) $groups = (array) $USERINFO['grps']; + $groups = array_map(array($auth,'cleanGroup'),$groups); $user = auth_nameencode($user); // check username against superuser and manager @@ -433,6 +436,7 @@ function auth_quickaclcheck($id){ function auth_aclcheck($id,$user,$groups){ global $conf; global $AUTH_ACL; + global $auth; // if no ACL is used always return upload rights if(!$conf['useacl']) return AUTH_UPLOAD; @@ -443,6 +447,9 @@ function auth_aclcheck($id,$user,$groups){ //if user is superuser or in superusergroup return 255 (acl_admin) if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; } + + $user = $auth->cleanUser($user); + $groups = array_map(array($auth,'cleanGroup'),(array)$groups); $user = auth_nameencode($user); //prepend groups with @ and nameencode @@ -593,6 +600,7 @@ function auth_sendPassword($user,$password){ global $auth; $hdrs = ''; + $user = $auth->cleanUser($user); $userinfo = $auth->getUserData($user); if(!$userinfo['mail']) return false; @@ -628,8 +636,8 @@ function register(){ if(!$auth->canDo('addUser')) return false; //clean username - $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); - $_POST['login'] = cleanID($_POST['login']); + $_POST['login'] = trim($auth->cleanUser($_POST['login'])); + //clean fullname and email $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['fullname'])); $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['email'])); @@ -823,8 +831,7 @@ function act_resendpwd(){ msg($lang['resendpwdmissing'], -1); return false; } else { - $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); - $user = cleanID($_POST['login']); + $user = trim($auth->cleanUser($_POST['login'])); } $userinfo = $auth->getUserData($user); |