From 395c2f0ff3e87977ea2573587a11f4ef294433f2 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 23 Sep 2014 20:17:49 +0200 Subject: clean user credentials from control chars This is to prevent zero byte attacks on external auth systems as described in http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc') diff --git a/inc/auth.php b/inc/auth.php index e224b2fb5..7477ae7ef 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -95,9 +95,10 @@ function auth_setup() { $INPUT->set('http_credentials', true); } - // apply cleaning + // apply cleaning (auth specific user names, remove control chars) if (true === $auth->success) { - $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); + $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u')))); + $INPUT->set('p', stripctl($INPUT->str('p'))); } if($INPUT->str('authtok')) { -- cgit v1.2.3 From 5e9e1054045318cfb23f64db7be36a677dc9481a Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 26 Sep 2014 10:36:05 +0200 Subject: do not allow empty passwords When a username but no password is submitted, the login is denied right away instead of relying on the backend to refuse the login. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc') diff --git a/inc/auth.php b/inc/auth.php index 7477ae7ef..037f7e78f 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { if(!empty($user)) { //usual login - if($auth->checkPass($user, $pass)) { + if(!empty($pass) && $auth->checkPass($user, $pass)) { // make logininfo globally available $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session -- cgit v1.2.3