mirror of
https://we.phorge.it/source/phorge.git
synced 2024-09-19 16:58:48 +02:00
Prevent the ability to scrape for valid usernames
- return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
This commit is contained in:
Michael Ossareh
parent
0a0607d2f7
commit
a9af5d611d
4 changed files with 48 additions and 6 deletions
|
|
@ -648,7 +648,7 @@ return array(
|
||||||
'ldap.search-first' => false,
|
'ldap.search-first' => false,
|
||||||
|
|
||||||
// The attribute to search for if you have to search for a user
|
// The attribute to search for if you have to search for a user
|
||||||
'ldap.username_attribute' => '',
|
'ldap.username-attribute' => '',
|
||||||
|
|
||||||
// The attribute(s) to be regarded as 'real name'.
|
// The attribute(s) to be regarded as 'real name'.
|
||||||
// If more then one attribute is supplied the values of the attributes in
|
// If more then one attribute is supplied the values of the attributes in
|
||||||
|
|
|
||||||
|
|
@ -710,6 +710,7 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorLDAPLoginController' => 'applications/auth/controller/PhabricatorLDAPLoginController.php',
|
'PhabricatorLDAPLoginController' => 'applications/auth/controller/PhabricatorLDAPLoginController.php',
|
||||||
'PhabricatorLDAPProvider' => 'applications/auth/ldap/PhabricatorLDAPProvider.php',
|
'PhabricatorLDAPProvider' => 'applications/auth/ldap/PhabricatorLDAPProvider.php',
|
||||||
'PhabricatorLDAPRegistrationController' => 'applications/auth/controller/PhabricatorLDAPRegistrationController.php',
|
'PhabricatorLDAPRegistrationController' => 'applications/auth/controller/PhabricatorLDAPRegistrationController.php',
|
||||||
|
'PhabricatorLDAPUnknownUserException' => 'applications/auth/ldap/PhabricatorLDAPUnknownUserException.php',
|
||||||
'PhabricatorLDAPUnlinkController' => 'applications/auth/controller/PhabricatorLDAPUnlinkController.php',
|
'PhabricatorLDAPUnlinkController' => 'applications/auth/controller/PhabricatorLDAPUnlinkController.php',
|
||||||
'PhabricatorLintEngine' => 'infrastructure/lint/PhabricatorLintEngine.php',
|
'PhabricatorLintEngine' => 'infrastructure/lint/PhabricatorLintEngine.php',
|
||||||
'PhabricatorLiskDAO' => 'infrastructure/storage/lisk/PhabricatorLiskDAO.php',
|
'PhabricatorLiskDAO' => 'infrastructure/storage/lisk/PhabricatorLiskDAO.php',
|
||||||
|
|
@ -1727,6 +1728,7 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorJavelinLinter' => 'ArcanistLinter',
|
'PhabricatorJavelinLinter' => 'ArcanistLinter',
|
||||||
'PhabricatorLDAPLoginController' => 'PhabricatorAuthController',
|
'PhabricatorLDAPLoginController' => 'PhabricatorAuthController',
|
||||||
'PhabricatorLDAPRegistrationController' => 'PhabricatorAuthController',
|
'PhabricatorLDAPRegistrationController' => 'PhabricatorAuthController',
|
||||||
|
'PhabricatorLDAPUnknownUserException' => 'Exception',
|
||||||
'PhabricatorLDAPUnlinkController' => 'PhabricatorAuthController',
|
'PhabricatorLDAPUnlinkController' => 'PhabricatorAuthController',
|
||||||
'PhabricatorLintEngine' => 'PhutilLintEngine',
|
'PhabricatorLintEngine' => 'PhutilLintEngine',
|
||||||
'PhabricatorLiskDAO' => 'LiskDAO',
|
'PhabricatorLiskDAO' => 'LiskDAO',
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,10 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
final class PhabricatorLDAPProvider {
|
final class PhabricatorLDAPProvider {
|
||||||
|
// http://www.php.net/manual/en/function.ldap-errno.php#20665 states
|
||||||
|
// that the number could be 31 or 49, in testing it has always been 49
|
||||||
|
const LDAP_INVALID_CREDENTIALS = 49;
|
||||||
|
|
||||||
private $userData;
|
private $userData;
|
||||||
private $connection;
|
private $connection;
|
||||||
|
|
||||||
|
|
@ -47,7 +51,7 @@ final class PhabricatorLDAPProvider {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getUsernameAttribute() {
|
public function getUsernameAttribute() {
|
||||||
return PhabricatorEnv::getEnvConfig('ldap.username_attribute');
|
return PhabricatorEnv::getEnvConfig('ldap.username-attribute');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getLDAPVersion() {
|
public function getLDAPVersion() {
|
||||||
|
|
@ -116,14 +120,28 @@ final class PhabricatorLDAPProvider {
|
||||||
return $this->userData;
|
return $this->userData;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function invalidLDAPUserErrorMessage($errno, $errmsg) {
|
||||||
|
return "LDAP Error #".$errno.": ".$errmsg;
|
||||||
|
}
|
||||||
|
|
||||||
public function auth($username, PhutilOpaqueEnvelope $password) {
|
public function auth($username, PhutilOpaqueEnvelope $password) {
|
||||||
if (strlen(trim($username)) == 0) {
|
if (strlen(trim($username)) == 0) {
|
||||||
throw new Exception('Username can not be empty');
|
throw new Exception('Username can not be empty');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (PhabricatorEnv::getEnvConfig('ldap.search-first')) {
|
if (PhabricatorEnv::getEnvConfig('ldap.search-first')) {
|
||||||
$user = $this->getUser($this->getUsernameAttribute(), $username);
|
// To protect against people phishing for accounts we catch the
|
||||||
$username = $user[($this->getSearchAttribute())][0];
|
// exception and present the default exception that would be presented
|
||||||
|
// in the case of a failed bind.
|
||||||
|
try {
|
||||||
|
$user = $this->getUser($this->getUsernameAttribute(), $username);
|
||||||
|
$username = $user[$this->getSearchAttribute()][0];
|
||||||
|
} catch (PhabricatorLDAPUnknownUserException $e) {
|
||||||
|
throw new Exception(
|
||||||
|
$this->invalidLDAPUserErrorMessage(
|
||||||
|
self::LDAP_INVALID_CREDENTIALS,
|
||||||
|
ldap_err2str(self::LDAP_INVALID_CREDENTIALS)));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$conn = $this->getConnection();
|
$conn = $this->getConnection();
|
||||||
|
|
@ -149,7 +167,9 @@ final class PhabricatorLDAPProvider {
|
||||||
|
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
throw new Exception(
|
throw new Exception(
|
||||||
"LDAP Error #".ldap_errno($conn).": ".ldap_error($conn));
|
$this->invalidLDAPUserErrorMessage(
|
||||||
|
ldap_errno($conn),
|
||||||
|
ldap_error($conn)));
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->userData = $this->getUser($this->getSearchAttribute(), $username);
|
$this->userData = $this->getUser($this->getSearchAttribute(), $username);
|
||||||
|
|
@ -183,7 +203,7 @@ final class PhabricatorLDAPProvider {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($entries['count'] == 0) {
|
if ($entries['count'] == 0) {
|
||||||
throw new Exception('Could not find user');
|
throw new PhabricatorLDAPUnknownUserException('Could not find user');
|
||||||
}
|
}
|
||||||
|
|
||||||
return $entries[0];
|
return $entries[0];
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,20 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright 2012 Facebook, Inc.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
final class PhabricatorLDAPUnknownUserException extends Exception{
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue