From 395c2f0ff3e87977ea2573587a11f4ef294433f2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 23 Sep 2014 20:17:49 +0200
Subject: clean user credentials from control chars

This is to prevent zero byte attacks on external auth systems as
described in
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
---
 inc/auth.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'inc')

diff --git a/inc/auth.php b/inc/auth.php
index e224b2fb5..7477ae7ef 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
-- 
cgit v1.2.3