Issues in index.php (master) - Issues in master - EGroupware/egroupware - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4868)

api/ntlm/index.php (1 issue)

Labels

Best Practice 1

Severity

Major 1

<?php
/**
 * EGroupware - NTLM or other http auth access without login page
 *
 * @link http://www.egroupware.org
 * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
 * @package api
 * @subpackage authentication
 * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
 * @copyright (c) 2008-2016 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
 * @version $Id$
 */

use EGroupware\Api;

/**
 * Check if given domain is either whitelisted, the current one or the EGroupware one
 *
 * Used to NOT redirect to arbitrary urls.
 *
 * @param string $url full url or just path, later is always allowed, as it stays within the domain
 * @return boolean
 */
function check_domain($url)
{
	$whitelisted = array(
		$_SERVER['HTTP_HOST'],	// can contain :port
		// add additional domains-names (just full qualified hostnames) here

	);
	if ($GLOBALS['egw_info']['server']['webserver_url'][0] === 'h')
	{
		$whitelisted[] = parse_url($GLOBALS['egw_info']['server']['webserver_url'], PHP_URL_HOST);
	}
	$parts = parse_url($url);
	$host = $parts['host'].($parts['port'] ? ':'.$parts['port'] : '');

	return $url[0] == '/' || in_array($host, $whitelisted);
}

/**
 * check if the given user has access
 *
 * Create a session or if the user has no account return authenticate header and 401 Unauthorized
 *
 * @param array &$account
 * @return int session-id
 */
function check_access(&$account)
{
	//error_log("AUTH_TYPE={$_SERVER['AUTH_TYPE']}, REMOTE_USER={$_SERVER['REMOTE_USER']}, HTTP_USER_AGENT={$_SERVER['HTTP_USER_AGENT']}, http_auth_types={$GLOBALS['egw_info']['server']['http_auth_types']}");

	if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] && isset($_SERVER['AUTH_TYPE']) &&
		isset($GLOBALS['egw_info']['server']['http_auth_types']) && $GLOBALS['egw_info']['server']['http_auth_types'] &&
		in_array(strtoupper($_SERVER['AUTH_TYPE']),explode(',',strtoupper($GLOBALS['egw_info']['server']['http_auth_types']))))
	{
		if (strpos($account=$_SERVER['REMOTE_USER'],'\\') !== false)
		{
			list(,$account) = explode('\\',$account,2);
		}
		$sessionid = $GLOBALS['egw']->session->create($account,null,'ntlm',false,false);	// false=no auth check
		//error_log("create('$account',null,'ntlm',false,false)=$sessionid ({$GLOBALS['egw']->session->reason})");
	}
	if (!$sessionid)
	{
		if (isset($_GET['forward']) && check_domain($_GET['forward']))
		{
			header('Location: '.$_GET['forward']);
		}
		else
		{
			header('Location: ../../login.php'.(isset($_REQUEST['phpgw_forward']) ? '?phpgw_forward='.urlencode($_REQUEST['phpgw_forward']) : ''));
		}
		exit;

	}
	return $sessionid;
}

$GLOBALS['egw_info']['flags'] = array(
	'noheader'  => True,
	'currentapp' => 'api',
	'autocreate_session_callback' => 'check_access',
);
// if you move this file somewhere else, you need to adapt the path to the header!
include(dirname(__FILE__).'/../../header.inc.php');

if (isset($_GET['forward']) && check_domain($_GET['forward']))
{
	$forward = $_GET['forward'];
	Api\Cache::setSession('login', 'referer', $forward);
}
elseif ($_REQUEST['phpgw_forward'])
{
	$forward = '../..'.(isset($_GET['phpgw_forward']) ? urldecode($_GET['phpgw_forward']) : @$_POST['phpgw_forward']);
}
else
{
	$forward = '../../index.php';
}
// commiting the session, before redirecting might fix racecondition in session creation
$GLOBALS['egw']->session->commit_session();
header('Location: '.$forward);


1			<?php
2			/**
3			* EGroupware - NTLM or other http auth access without login page
4			*
5			* @link http://www.egroupware.org
6			* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
7			* @package api
8			* @subpackage authentication
9			* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
10			* @copyright (c) 2008-2016 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
11			* @version $Id$
12			*/
13
14			use EGroupware\Api;
15
16			/**
17			* Check if given domain is either whitelisted, the current one or the EGroupware one
18			*
19			* Used to NOT redirect to arbitrary urls.
20			*
21			* @param string $url full url or just path, later is always allowed, as it stays within the domain
22			* @return boolean
23			*/
24			function check_domain($url)
25			{
26			$whitelisted = array(
27			$_SERVER['HTTP_HOST'], // can contain :port
28			// add additional domains-names (just full qualified hostnames) here
29
30			);
31			if ($GLOBALS['egw_info']['server']['webserver_url'][0] === 'h')
32			{
33			$whitelisted[] = parse_url($GLOBALS['egw_info']['server']['webserver_url'], PHP_URL_HOST);
34			}
35			$parts = parse_url($url);
36			$host = $parts['host'].($parts['port'] ? ':'.$parts['port'] : '');
37
38			return $url[0] == '/' \|\| in_array($host, $whitelisted);
39			}
40
41			/**
42			* check if the given user has access
43			*
44			* Create a session or if the user has no account return authenticate header and 401 Unauthorized
45			*
46			* @param array &$account
47			* @return int session-id
48			*/
49			function check_access(&$account)
50			{
51			//error_log("AUTH_TYPE={$_SERVER['AUTH_TYPE']}, REMOTE_USER={$_SERVER['REMOTE_USER']}, HTTP_USER_AGENT={$_SERVER['HTTP_USER_AGENT']}, http_auth_types={$GLOBALS['egw_info']['server']['http_auth_types']}");
52
53			if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] && isset($_SERVER['AUTH_TYPE']) &&
54			isset($GLOBALS['egw_info']['server']['http_auth_types']) && $GLOBALS['egw_info']['server']['http_auth_types'] &&
55			in_array(strtoupper($_SERVER['AUTH_TYPE']),explode(',',strtoupper($GLOBALS['egw_info']['server']['http_auth_types']))))
56			{
57			if (strpos($account=$_SERVER['REMOTE_USER'],'\\') !== false)
58			{
59			list(,$account) = explode('\\',$account,2);
60			}
61			$sessionid = $GLOBALS['egw']->session->create($account,null,'ntlm',false,false); // false=no auth check
62			//error_log("create('$account',null,'ntlm',false,false)=$sessionid ({$GLOBALS['egw']->session->reason})");
63			}
64			if (!$sessionid)
65			{
66			if (isset($_GET['forward']) && check_domain($_GET['forward']))
67			{
68			header('Location: '.$_GET['forward']);
69			}
70			else
71			{
72			header('Location: ../../login.php'.(isset($_REQUEST['phpgw_forward']) ? '?phpgw_forward='.urlencode($_REQUEST['phpgw_forward']) : ''));
73			}
74			exit;
			0 ignored issues – show Best Practice introduced 2019-02-28 11:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
75			}
76			return $sessionid;
77			}
78
79			$GLOBALS['egw_info']['flags'] = array(
80			'noheader' => True,
81			'currentapp' => 'api',
82			'autocreate_session_callback' => 'check_access',
83			);
84			// if you move this file somewhere else, you need to adapt the path to the header!
85			include(dirname(__FILE__).'/../../header.inc.php');
86
87			if (isset($_GET['forward']) && check_domain($_GET['forward']))
88			{
89			$forward = $_GET['forward'];
90			Api\Cache::setSession('login', 'referer', $forward);
91			}
92			elseif ($_REQUEST['phpgw_forward'])
93			{
94			$forward = '../..'.(isset($_GET['phpgw_forward']) ? urldecode($_GET['phpgw_forward']) : @$_POST['phpgw_forward']);
95			}
96			else
97			{
98			$forward = '../../index.php';
99			}
100			// commiting the session, before redirecting might fix racecondition in session creation
101			$GLOBALS['egw']->session->commit_session();
102			header('Location: '.$forward);
103

EGroupware / egroupware

Issues (4868)

api/ntlm/index.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like