Move the Null-Byte LDAP check to the user manager
The existing method is deprecated and just a wrapper around the manager method. Since in the future other code paths might call this function instead we need to perform that check here. Related to http://owncloud.org/security/advisory/?id=oc-sa-2014-020
This commit is contained in:
parent
77c4c2856a
commit
f6820406b6
|
@ -212,9 +212,6 @@ class OC_User {
|
||||||
* Log in a user and regenerate a new session - if the password is ok
|
* Log in a user and regenerate a new session - if the password is ok
|
||||||
*/
|
*/
|
||||||
public static function login($loginname, $password) {
|
public static function login($loginname, $password) {
|
||||||
$loginname = str_replace("\0", '', $loginname);
|
|
||||||
$password = str_replace("\0", '', $password);
|
|
||||||
|
|
||||||
session_regenerate_id(true);
|
session_regenerate_id(true);
|
||||||
$result = self::getUserSession()->login($loginname, $password);
|
$result = self::getUserSession()->login($loginname, $password);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
|
|
|
@ -151,6 +151,9 @@ class Manager extends PublicEmitter implements IUserManager {
|
||||||
* @return mixed the User object on success, false otherwise
|
* @return mixed the User object on success, false otherwise
|
||||||
*/
|
*/
|
||||||
public function checkPassword($loginname, $password) {
|
public function checkPassword($loginname, $password) {
|
||||||
|
$loginname = str_replace("\0", '', $loginname);
|
||||||
|
$password = str_replace("\0", '', $password);
|
||||||
|
|
||||||
foreach ($this->backends as $backend) {
|
foreach ($this->backends as $backend) {
|
||||||
if ($backend->implementsActions(\OC_User_Backend::CHECK_PASSWORD)) {
|
if ($backend->implementsActions(\OC_User_Backend::CHECK_PASSWORD)) {
|
||||||
$uid = $backend->checkPassword($loginname, $password);
|
$uid = $backend->checkPassword($loginname, $password);
|
||||||
|
|
Loading…
Reference in New Issue