From 2046a6546c8ed62b9a7b33305b6201458f2f8291 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 12 Mar 2014 15:38:28 +0000 Subject: Allow user info to be retrieved without groups Some parts of dokuwiki (e.g. recent changes, old revisions) can requests lots of user info (to provide editor names) without requiring any group information. This change also implements caching of user info by authmysql & authpgsql plugins to avoid repeated querying of the DB to retrieve the same user information. --- inc/auth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 2bdc3eb00..cbdd7163b 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -922,7 +922,7 @@ function auth_sendPassword($user, $password) { if(!$auth) return false; $user = $auth->cleanUser($user); - $userinfo = $auth->getUserData($user); + $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); if(!$userinfo['mail']) return false; @@ -1184,7 +1184,7 @@ function act_resendpwd() { } $user = io_readfile($tfile); - $userinfo = $auth->getUserData($user); + $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; @@ -1236,7 +1236,7 @@ function act_resendpwd() { $user = trim($auth->cleanUser($INPUT->post->str('login'))); } - $userinfo = $auth->getUserData($user); + $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; -- cgit v1.2.3 From 2dc9e90007f12ac996b0e74479137a9dc6243c3c Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sun, 4 May 2014 19:20:11 +0100 Subject: KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace with boolean values --- inc/auth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index cbdd7163b..5e0d13417 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -922,7 +922,7 @@ function auth_sendPassword($user, $password) { if(!$auth) return false; $user = $auth->cleanUser($user); - $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); + $userinfo = $auth->getUserData($user, $requireGroups = false); if(!$userinfo['mail']) return false; @@ -1184,7 +1184,7 @@ function act_resendpwd() { } $user = io_readfile($tfile); - $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); + $userinfo = $auth->getUserData($user, $requireGroups = false); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; @@ -1236,7 +1236,7 @@ function act_resendpwd() { $user = trim($auth->cleanUser($INPUT->post->str('login'))); } - $userinfo = $auth->getUserData($user, DokuWiki_Auth_Plugin::IGNORE_GROUPS); + $userinfo = $auth->getUserData($user, $requireGroups = false); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; -- cgit v1.2.3 From e5204a127eaefe66c8334f68edc017671e78fcca Mon Sep 17 00:00:00 2001 From: Jurgen Hart Date: Wed, 30 Jul 2014 16:39:40 +0200 Subject: Added @ALL handeling in auth_isMember --- inc/auth.php | 1 + 1 file changed, 1 insertion(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e224b2fb5..b12800584 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -638,6 +638,7 @@ function auth_isMember($memberlist, $user, array $groups) { // compare cleaned values foreach($members as $member) { + if($member == '@ALL' ) return true; if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member); if($member[0] == '@') { $member = $auth->cleanGroup(substr($member, 1)); -- cgit v1.2.3 From 395c2f0ff3e87977ea2573587a11f4ef294433f2 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 23 Sep 2014 20:17:49 +0200 Subject: clean user credentials from control chars This is to prevent zero byte attacks on external auth systems as described in http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e224b2fb5..7477ae7ef 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -95,9 +95,10 @@ function auth_setup() { $INPUT->set('http_credentials', true); } - // apply cleaning + // apply cleaning (auth specific user names, remove control chars) if (true === $auth->success) { - $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); + $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u')))); + $INPUT->set('p', stripctl($INPUT->str('p'))); } if($INPUT->str('authtok')) { -- cgit v1.2.3 From 5e9e1054045318cfb23f64db7be36a677dc9481a Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 26 Sep 2014 10:36:05 +0200 Subject: do not allow empty passwords When a username but no password is submitted, the login is denied right away instead of relying on the backend to refuse the login. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 7477ae7ef..037f7e78f 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { if(!empty($user)) { //usual login - if($auth->checkPass($user, $pass)) { + if(!empty($pass) && $auth->checkPass($user, $pass)) { // make logininfo globally available $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session -- cgit v1.2.3 From 59bc3b48fdffb76ee65a4b630be3ffa1f6c20c80 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Mon, 29 Sep 2014 21:45:27 +0200 Subject: more scrutinizer issue improvements --- inc/auth.php | 1 + 1 file changed, 1 insertion(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e938830ef..dc2b6cad8 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -1129,6 +1129,7 @@ function auth_deleteprofile(){ } } + $deleted = array(); $deleted[] = $INPUT->server->str('REMOTE_USER'); if($auth->triggerUserMod('delete', array($deleted))) { // force and immediate logout including removing the sticky cookie -- cgit v1.2.3 From 42ea7f447f39fbc2f79eaaec31f8c10ede59c5d0 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Wed, 1 Oct 2014 11:30:27 +0200 Subject: Many PHPDocs, some unused and dyn declared vars many PHPDocs some unused variables some dynamically declared variables declared --- inc/auth.php | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index dc2b6cad8..3a6a2f65a 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -127,6 +127,7 @@ function auth_setup() { * Loads the ACL setup and handle user wildcards * * @author Andreas Gohr + * * @return array */ function auth_loadACL() { @@ -173,7 +174,7 @@ function auth_loadACL() { /** * Event hook callback for AUTH_LOGIN_CHECK * - * @param $evdata + * @param array $evdata * @return bool */ function auth_login_wrapper($evdata) { @@ -280,6 +281,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { * token is correct. Will exit with a 401 Status if not. * * @author Andreas Gohr + * * @param string $token The authentication token * @return boolean true (or will exit on failure) */ @@ -307,6 +309,7 @@ function auth_validateToken($token) { * NOTE: this is completely unrelated to the getSecurityToken() function * * @author Andreas Gohr + * * @return string The auth token */ function auth_createToken() { @@ -351,6 +354,7 @@ function auth_browseruid() { * and stored in this file. * * @author Andreas Gohr + * * @param bool $addsession if true, the sessionid is added to the salt * @param bool $secure if security is more important than keeping the old value * @return string @@ -378,6 +382,7 @@ function auth_cookiesalt($addsession = false, $secure = false) { * @author Mark Seecof * @author Michael Hamann * @link http://www.php.net/manual/de/function.mt-rand.php#83655 + * * @param int $length number of bytes to get * @return string binary random strings */ @@ -444,6 +449,7 @@ function auth_randombytes($length) { * * @author Michael Samuel * @author Michael Hamann + * * @param int $min * @param int $max * @return int @@ -515,6 +521,7 @@ function auth_decrypt($ciphertext, $secret) { * off. It also clears session data. * * @author Andreas Gohr + * * @param bool $keepbc - when true, the breadcrumb data is not cleared */ function auth_logoff($keepbc = false) { @@ -555,6 +562,7 @@ function auth_logoff($keepbc = false) { * * @author Andreas Gohr * @see auth_isadmin + * * @param string $user Username * @param array $groups List of groups the user is in * @param bool $adminonly when true checks if user is admin @@ -599,6 +607,7 @@ function auth_ismanager($user = null, $groups = null, $adminonly = false) { * * @author Andreas Gohr * @see auth_ismanager() + * * @param string $user Username * @param array $groups List of groups the user is in * @return bool @@ -613,9 +622,9 @@ function auth_isadmin($user = null, $groups = null) { * * Note: all input should NOT be nameencoded. * - * @param $memberlist string commaseparated list of allowed users and groups - * @param $user string user to match against - * @param $groups array groups the user is member of + * @param string $memberlist commaseparated list of allowed users and groups + * @param string $user user to match against + * @param array $groups groups the user is member of * @return bool true for membership acknowledged */ function auth_isMember($memberlist, $user, array $groups) { @@ -678,6 +687,7 @@ function auth_quickaclcheck($id) { * Returns the maximum rights a user has for the given ID or its namespace * * @author Andreas Gohr + * * @triggers AUTH_ACL_CHECK * @param string $id page ID (needs to be resolved and cleaned) * @param string $user Username @@ -700,6 +710,7 @@ function auth_aclcheck($id, $user, $groups) { * DO NOT CALL DIRECTLY, use auth_aclcheck() instead * * @author Andreas Gohr + * * @param array $data event data * @return int permission level */ @@ -832,6 +843,10 @@ function auth_aclcheck_cb($data) { * * @author Andreas Gohr * @see rawurldecode() + * + * @param string $name + * @param bool $skip_group + * @return string */ function auth_nameencode($name, $skip_group = false) { global $cache_authname; @@ -913,6 +928,7 @@ function auth_pwgen($foruser = '') { * Sends a password to the given user * * @author Andreas Gohr + * * @param string $user Login name of the user * @param string $password The new password in clear text * @return bool true on success @@ -948,6 +964,7 @@ function auth_sendPassword($user, $password) { * This registers a new user - Data is read directly from $_POST * * @author Andreas Gohr + * * @return bool true on success, false on any error */ function register() { @@ -1280,6 +1297,7 @@ function act_resendpwd() { * is chosen. * * @author Andreas Gohr + * * @param string $clear The clear text password * @param string $method The hashing method * @param string $salt A salt, null for random @@ -1304,6 +1322,7 @@ function auth_cryptPassword($clear, $method = '', $salt = null) { * Verifies a cleartext password against a crypted hash * * @author Andreas Gohr + * * @param string $clear The clear text password * @param string $crypt The hash to compare with * @return bool true if both match -- cgit v1.2.3 From 7e8500eea1e53b1de0e0f70400664afa442cd08d Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Thu, 2 Oct 2014 14:55:24 +0200 Subject: PHPDocs and some improvements --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 3a6a2f65a..0342de7be 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -283,7 +283,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { * @author Andreas Gohr * * @param string $token The authentication token - * @return boolean true (or will exit on failure) + * @return boolean|null true (or will exit on failure) */ function auth_validateToken($token) { if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']) { -- cgit v1.2.3 From 60aca4b904310fc764389d058c23e7b978b513a3 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Mon, 6 Oct 2014 14:59:03 +0200 Subject: do not use Accept-Encoding in browser UID Since Chrome 37, they send differen accept encodings for POST and GET requests which will break BrowserUID checks as reported in cosmocode/dokuwiki-plugin-oauth/issues/3 See https://code.google.com/p/chromium/issues/detail?id=410559 for official bug report at Google --- inc/auth.php | 1 - 1 file changed, 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e938830ef..4b1e6ce31 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -335,7 +335,6 @@ function auth_browseruid() { $ip = clientIP(true); $uid = ''; $uid .= $INPUT->server->str('HTTP_USER_AGENT'); - $uid .= $INPUT->server->str('HTTP_ACCEPT_ENCODING'); $uid .= $INPUT->server->str('HTTP_ACCEPT_CHARSET'); $uid .= substr($ip, 0, strpos($ip, '.')); $uid = strtolower($uid); -- cgit v1.2.3