From 4de7877b19e47b57fbafd59a770d1bfb39e78371 Mon Sep 17 00:00:00 2001 From: Brian Lycett Date: Wed, 9 Mar 2022 15:59:15 +0000 Subject: [PATCH] Update LDAP filter method as suggested by @xgaia --- README.md | 2 +- www/account_manager/new_user.php | 6 +++--- www/account_manager/show_group.php | 2 ++ www/account_manager/show_user.php | 4 ++-- www/includes/ldap_functions.inc.php | 6 +++--- www/request_account/index.php | 6 +++--- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 291c7c6..9dfad86 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ Configuration is via environmental variables. Please bear the following in mind * `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy. -* `SERVER_PORT` (default: *80 or 80+443*): The port the webserver inside the container will listen on. If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS. When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true). This is for use when the container's Docker network mode is set to `host`. +* `SERVER_PORT` (default: *80 or 80 & 443*): The port the webserver inside the container will listen on. If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS. When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true). This is for use when the container's Docker network mode is set to `host`. * `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates) diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php index 6d4be75..0a6e961 100644 --- a/www/account_manager/new_user.php +++ b/www/account_manager/new_user.php @@ -44,7 +44,7 @@ $new_account_r = array(); foreach ($attribute_map as $attribute => $attr_r) { if (isset($_POST[$attribute])) { - $$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_STRING); + $$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } elseif (isset($attr_r['default'])) { $$attribute = $attr_r['default']; @@ -56,10 +56,10 @@ foreach ($attribute_map as $attribute => $attr_r) { if (isset($_GET['account_request'])) { - $givenname=filter_var($_GET['first_name'], FILTER_SANITIZE_STRING); + $givenname=filter_var($_GET['first_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); $new_account_r['givenname'] = $givenname; - $sn=filter_var($_GET['last_name'], FILTER_SANITIZE_STRING); + $sn=filter_var($_GET['last_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); $new_account_r['sn'] = $sn; $uid = generate_username($givenname,$sn); diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php index 1cd14bb..90f1d2d 100644 --- a/www/account_manager/show_group.php +++ b/www/account_manager/show_group.php @@ -40,6 +40,8 @@ exit(0); ###################################################################################### +$initialise_group = FALSE; + if (isset($_POST['new_group'])) { $new_group = TRUE; $current_members = array(); diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php index c062008..5b38d84 100644 --- a/www/account_manager/show_user.php +++ b/www/account_manager/show_user.php @@ -53,7 +53,7 @@ if ($ldap_search) { $$attribute = $user[0][$attribute][0]; if (isset($_POST['update_account']) and isset($_POST[$attribute]) and $_POST[$attribute] != $$attribute) { - $$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_STRING); + $$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); $to_update[$attribute] = $$attribute; } elseif (isset($attr_r['default'])) { @@ -522,7 +522,7 @@ if ($ldap_search) { -
/show_user.php" method="post"> +
diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php index 75d5864..e7b70cc 100644 --- a/www/includes/ldap_functions.inc.php +++ b/www/includes/ldap_functions.inc.php @@ -700,19 +700,19 @@ function ldap_complete_account_attribute_array() { $this_r = array(); $kv = explode(":", $this_attr); - $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_STRING)); + $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS)); if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) { if (isset($kv[1]) and $kv[1] != "") { - $this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_STRING); + $this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } else { $this_r['label'] = $attr_name; } if (isset($kv[2]) and $kv[2] != "") { - $this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_STRING); + $this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } $additional_attributes_r[$attr_name] = $this_r; diff --git a/www/request_account/index.php b/www/request_account/index.php index 80e0b38..65e282c 100644 --- a/www/request_account/index.php +++ b/www/request_account/index.php @@ -28,14 +28,14 @@ if($_POST) { array_push($error_messages, "You didn't enter your first name."); } else { - $firstname=filter_var($_POST['firstname'], FILTER_SANITIZE_STRING); + $firstname=filter_var($_POST['firstname'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } if (! isset($_POST['lastname']) or $_POST['lastname'] == "") { array_push($error_messages, "You didn't enter your first name."); } else { - $lastname=filter_var($_POST['lastname'], FILTER_SANITIZE_STRING); + $lastname=filter_var($_POST['lastname'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } if (isset($_POST['email']) and $_POST['email'] != "") { @@ -43,7 +43,7 @@ if($_POST) { } if (isset($_POST['notes']) and $_POST['notes'] != "") { - $notes=filter_var($_POST['notes'], FILTER_SANITIZE_STRING); + $notes=filter_var($_POST['notes'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); }