makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-08 20:38:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/8713] Do not trim login inputs

Browse source 
Create a function to request variables which are not trimmed.

All requests for passwords (except forum passwords) now use the
untrimmed request function.

PHPBB3-8713
This commit is contained in:
Nathaniel Guse 2012-09-03 13:32:33 -05:00
parent 7bf598954c
commit b3cd5a649b
9 changed files with 104 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
phpBB/includes/acp/acp_language.php
View file

@ -100,11 +100,11 @@ class acp_language
switch ($method) switch ($method)
{ {
case 'ftp': case 'ftp':
$transfer = new ftp(request_var('host', ''), request_var('username', ''), request_var('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', '')); $transfer = new ftp(request_var('host', ''), request_var('username', ''), $request->untrimed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
break; break;
case 'ftp_fsock': case 'ftp_fsock':
$transfer = new ftp_fsock(request_var('host', ''), request_var('username', ''), request_var('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', '')); $transfer = new ftp_fsock(request_var('host', ''), request_var('username', ''), $request->untrimed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
break; break;
default: default:
@ -404,7 +404,7 @@ class acp_language
trigger_error($user->lang['INVALID_UPLOAD_METHOD'], E_USER_ERROR); trigger_error($user->lang['INVALID_UPLOAD_METHOD'], E_USER_ERROR);
} }
$transfer = new $method(request_var('host', ''), request_var('username', ''), request_var('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', '')); $transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
if (($result = $transfer->open_session()) !== true) if (($result = $transfer->open_session()) !== true)
{ {

6
phpBB/includes/acp/acp_users.php
View file

@ -32,7 +32,7 @@ class acp_users
{ {
global $config, $db, $user, $auth, $template, $cache; global $config, $db, $user, $auth, $template, $cache;
global $phpbb_root_path, $phpbb_admin_path, $phpEx, $table_prefix, $file_uploads; global $phpbb_root_path, $phpbb_admin_path, $phpEx, $table_prefix, $file_uploads;
global $phpbb_dispatcher; global $phpbb_dispatcher, $request;
$user->add_lang(array('posting', 'ucp', 'acp/users')); $user->add_lang(array('posting', 'ucp', 'acp/users'));
$this->tpl_name = 'acp_users'; $this->tpl_name = 'acp_users';
@ -770,8 +770,8 @@ class acp_users
'username' => utf8_normalize_nfc(request_var('user', $user_row['username'], true)), 'username' => utf8_normalize_nfc(request_var('user', $user_row['username'], true)),
'user_founder' => request_var('user_founder', ($user_row['user_type'] == USER_FOUNDER) ? 1 : 0), 'user_founder' => request_var('user_founder', ($user_row['user_type'] == USER_FOUNDER) ? 1 : 0),
'email' => strtolower(request_var('user_email', $user_row['user_email'])), 'email' => strtolower(request_var('user_email', $user_row['user_email'])),
'new_password' => request_var('new_password', '', true), 'new_password' => $request->untrimed_variable('new_password', '', true),
'password_confirm' => request_var('password_confirm', '', true), 'password_confirm' => $request->untrimed_variable('password_confirm', '', true),
); );
// Validation data - we do not check the password complexity setting here // Validation data - we do not check the password complexity setting here

4
phpBB/includes/functions.php
View file

@ -3044,11 +3044,11 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
trigger_error('NO_AUTH_ADMIN'); trigger_error('NO_AUTH_ADMIN');
} }
$password = request_var('password_' . $credential, '', true); $password = $request->untrimed_variable('password_' . $credential, '', true);
} }
else else
{ {
$password = request_var('password', '', true); $password = $request->untrimed_variable('password', '', true);
} }
$username = request_var('username', '', true); $username = request_var('username', '', true);

63
phpBB/includes/request/request.php
View file

@ -242,6 +242,69 @@ class phpbb_request implements phpbb_request_interface
return $var; return $var;
} }
/**
* Get a variable, but without trimming strings
* Same functionality as variable(), except does not run trim() on strings
* All variables in GET or POST requests should be retrieved through this function to maximise security.
*
* @param string|array $var_name The form variable's name from which data shall be retrieved.
* If the value is an array this may be an array of indizes which will give
* direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
* then specifying array("var", 1) as the name will return "a".
* @param mixed $default A default value that is returned if the variable was not set.
* This function will always return a value of the same type as the default.
* @param bool $multibyte If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
* Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
* @param phpbb_request_interface::POST|GET|REQUEST|COOKIE $super_global
* Specifies which super global should be used
*
* @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
* the same as that of $default. If the variable is not set $default is returned.
*/
public function untrimed_variable($var_name, $default, $multibyte, $super_global = phpbb_request_interface::REQUEST)
{
$path = false;
// deep direct access to multi dimensional arrays
if (is_array($var_name))
{
$path = $var_name;
// make sure at least the variable name is specified
if (empty($path))
{
return (is_array($default)) ? array() : $default;
}
// the variable name is the first element on the path
$var_name = array_shift($path);
}
if (!isset($this->input[$super_global][$var_name]))
{
return (is_array($default)) ? array() : $default;
}
$var = $this->input[$super_global][$var_name];
if ($path)
{
// walk through the array structure and find the element we are looking for
foreach ($path as $key)
{
if (is_array($var) && isset($var[$key]))
{
$var = $var[$key];
}
else
{
return (is_array($default)) ? array() : $default;
}
}
}
$this->type_cast_helper->recursive_set_var($var, $default, $multibyte, false);
return $var;
}
/** /**
* Shortcut method to retrieve SERVER variables. * Shortcut method to retrieve SERVER variables.
* *

22
phpBB/includes/request/type_cast_helper.php
View file

@ -93,15 +93,23 @@ class phpbb_request_type_cast_helper implements phpbb_request_type_cast_helper_i
* @param mixed $type The variable type. Will be used with {@link settype()} * @param mixed $type The variable type. Will be used with {@link settype()}
* @param bool $multibyte Indicates whether string values may contain UTF-8 characters. * @param bool $multibyte Indicates whether string values may contain UTF-8 characters.
* Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks. * Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks.
* @param bool $trim Indicates whether string values will be be parsed with trim()
* Default is true
*/ */
public function set_var(&$result, $var, $type, $multibyte = false) public function set_var(&$result, $var, $type, $multibyte = false, $trim = true)
{ {
settype($var, $type); settype($var, $type);
$result = $var; $result = $var;
if ($type == 'string') if ($type == 'string')
{ {
$result = trim(str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result)); $result = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result);
if ($trim)
{
$result = trim($result);
}
$result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8'); $result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8');
if ($multibyte) if ($multibyte)
@ -141,8 +149,10 @@ class phpbb_request_type_cast_helper implements phpbb_request_type_cast_helper_i
* @param bool $multibyte Indicates whether string keys and values may contain UTF-8 characters. * @param bool $multibyte Indicates whether string keys and values may contain UTF-8 characters.
* Default is false, causing all bytes outside the ASCII range (0-127) to * Default is false, causing all bytes outside the ASCII range (0-127) to
* be replaced with question marks. * be replaced with question marks.
* @param bool $trim Indicates whether string values will be be parsed with trim()
* Default is true
*/ */
public function recursive_set_var(&$var, $default, $multibyte) public function recursive_set_var(&$var, $default, $multibyte, $trim = true)
{ {
if (is_array($var) !== is_array($default)) if (is_array($var) !== is_array($default))
{ {
@ -153,7 +163,7 @@ class phpbb_request_type_cast_helper implements phpbb_request_type_cast_helper_i
if (!is_array($default)) if (!is_array($default))
{ {
$type = gettype($default); $type = gettype($default);
$this->set_var($var, $var, $type, $multibyte); $this->set_var($var, $var, $type, $multibyte, $trim);
} }
else else
{ {
@ -174,9 +184,9 @@ class phpbb_request_type_cast_helper implements phpbb_request_type_cast_helper_i
foreach ($_var as $k => $v) foreach ($_var as $k => $v)
{ {
$this->set_var($k, $k, $key_type, $multibyte, $multibyte); $this->set_var($k, $k, $key_type, $multibyte, $trim);
$this->recursive_set_var($v, $default_value, $multibyte); $this->recursive_set_var($v, $default_value, $multibyte, $trim);
$var[$k] = $v; $var[$k] = $v;
} }
} }

6
phpBB/includes/ucp/ucp_profile.php
View file

@ -46,9 +46,9 @@ class ucp_profile
$data = array( $data = array(
'username' => utf8_normalize_nfc(request_var('username', $user->data['username'], true)), 'username' => utf8_normalize_nfc(request_var('username', $user->data['username'], true)),
'email' => strtolower(request_var('email', $user->data['user_email'])), 'email' => strtolower(request_var('email', $user->data['user_email'])),
'new_password' => request_var('new_password', '', true), 'new_password' => $request->untrimed_variable('new_password', '', true),
'cur_password' => request_var('cur_password', '', true), 'cur_password' => $request->untrimed_variable('cur_password', '', true),
'password_confirm' => request_var('password_confirm', '', true), 'password_confirm' => $request->untrimed_variable('password_confirm', '', true),
); );
add_form_key('ucp_reg_details'); add_form_key('ucp_reg_details');

4
phpBB/includes/ucp/ucp_register.php
View file

@ -170,8 +170,8 @@ class ucp_register
$data = array( $data = array(
'username' => utf8_normalize_nfc(request_var('username', '', true)), 'username' => utf8_normalize_nfc(request_var('username', '', true)),
'new_password' => request_var('new_password', '', true), 'new_password' => $request->untrimed_variable('new_password', '', true),
'password_confirm' => request_var('password_confirm', '', true), 'password_confirm' => $request->untrimed_variable('password_confirm', '', true),
'email' => strtolower(request_var('email', '')), 'email' => strtolower(request_var('email', '')),
'lang' => basename(request_var('lang', $user->lang_name)), 'lang' => basename(request_var('lang', $user->lang_name)),
'tz' => request_var('tz', $timezone), 'tz' => request_var('tz', $timezone),

4
phpBB/install/install_update.php
View file

@ -862,7 +862,7 @@ class install_update extends module
$test_connection = false; $test_connection = false;
if ($test_ftp_connection || $submit) if ($test_ftp_connection || $submit)
{ {
$transfer = new $method(request_var('host', ''), request_var('username', ''), request_var('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', '')); $transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
$test_connection = $transfer->open_session(); $test_connection = $transfer->open_session();
// Make sure that the directory is correct by checking for the existence of common.php // Make sure that the directory is correct by checking for the existence of common.php
@ -948,7 +948,7 @@ class install_update extends module
} }
else else
{ {
$transfer = new $method(request_var('host', ''), request_var('username', ''), request_var('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', '')); $transfer = new $method(request_var('host', ''), request_var('username', ''), $request->untrimed_variable('password', ''), request_var('root_path', ''), request_var('port', ''), request_var('timeout', ''));
$transfer->open_session(); $transfer->open_session();
} }

10
tests/request/type_cast_helper_test.php
View file

@ -48,4 +48,14 @@ class phpbb_type_cast_helper_test extends phpbb_test_case
$this->assertEquals($expected, $data); $this->assertEquals($expected, $data);
} }
public function test_untrimmed_strings()
{
$data = array(' eviL<3 ');
$expected = array(' eviL&lt;3 ');
$this->type_cast_helper->recursive_set_var($data, '', true, false);
$this->assertEquals($expected, $data);
}
} }