From 2046a6546c8ed62b9a7b33305b6201458f2f8291 Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Wed, 12 Mar 2014 15:38:28 +0000
Subject: Allow user info to be retrieved without groups

Some parts of dokuwiki (e.g. recent changes, old revisions) can
requests lots of user info (to provide editor names) without
requiring any group information.

This change also implements caching of user info by authmysql &
authpgsql plugins to avoid repeated querying of the DB to retrieve
the same user information.
---
 inc/auth.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index 2bdc3eb00..cbdd7163b 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -922,7 +922,7 @@ function auth_sendPassword($user, $password) {
     if(!$auth) return false;
 
     $user     = $auth->cleanUser($user);
-    $userinfo = $auth->getUserData($user);
+    $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
 
     if(!$userinfo['mail']) return false;
 
@@ -1184,7 +1184,7 @@ function act_resendpwd() {
         }
 
         $user     = io_readfile($tfile);
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
@@ -1236,7 +1236,7 @@ function act_resendpwd() {
             $user = trim($auth->cleanUser($INPUT->post->str('login')));
         }
 
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
-- 
cgit v1.2.3


From 2dc9e90007f12ac996b0e74479137a9dc6243c3c Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Sun, 4 May 2014 19:20:11 +0100
Subject: KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and
 replace with boolean values

---
 inc/auth.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index cbdd7163b..5e0d13417 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -922,7 +922,7 @@ function auth_sendPassword($user, $password) {
     if(!$auth) return false;
 
     $user     = $auth->cleanUser($user);
-    $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
+    $userinfo = $auth->getUserData($user, $requireGroups = false);
 
     if(!$userinfo['mail']) return false;
 
@@ -1184,7 +1184,7 @@ function act_resendpwd() {
         }
 
         $user     = io_readfile($tfile);
-        $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
@@ -1236,7 +1236,7 @@ function act_resendpwd() {
             $user = trim($auth->cleanUser($INPUT->post->str('login')));
         }
 
-        $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
-- 
cgit v1.2.3


From 49cd1ed0c3598adf2be1b42e09281137eb41cc2b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 26 Jul 2014 08:40:27 +0200
Subject: fix AUTH_USER_CHANGE event in profile updates

the triggered event did not allow event handlers to change the passed
data
---
 inc/auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index 2bdc3eb00..e224b2fb5 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -1080,7 +1080,7 @@ function updateprofile() {
         }
     }
 
-    if($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), $changes))) {
+    if($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), &$changes))) {
         // update cookie and session with the changed data
         if($changes['pass']) {
             list( /*user*/, $sticky, /*pass*/) = auth_getCookie();
-- 
cgit v1.2.3


From e5204a127eaefe66c8334f68edc017671e78fcca Mon Sep 17 00:00:00 2001
From: Jurgen Hart <jhart@winterfell.schenkerit.com>
Date: Wed, 30 Jul 2014 16:39:40 +0200
Subject: Added @ALL handeling in auth_isMember

---
 inc/auth.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index e224b2fb5..b12800584 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -638,6 +638,7 @@ function auth_isMember($memberlist, $user, array $groups) {
 
     // compare cleaned values
     foreach($members as $member) {
+        if($member == '@ALL' ) return true;
         if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member);
         if($member[0] == '@') {
             $member = $auth->cleanGroup(substr($member, 1));
-- 
cgit v1.2.3


From 395c2f0ff3e87977ea2573587a11f4ef294433f2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 23 Sep 2014 20:17:49 +0200
Subject: clean user credentials from control chars

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
---
 inc/auth.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index e224b2fb5..7477ae7ef 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
-- 
cgit v1.2.3


From 5e9e1054045318cfb23f64db7be36a677dc9481a Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 26 Sep 2014 10:36:05 +0200
Subject: do not allow empty passwords

When a username but no password is submitted, the login is denied right
away instead of relying on the backend to refuse the login.
---
 inc/auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index 7477ae7ef..037f7e78f 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
-- 
cgit v1.2.3