1 | <?php |
||||
2 | /** |
||||
3 | * XOOPS Authentification base class |
||||
4 | * |
||||
5 | * You may not change or alter any portion of this comment or credits |
||||
6 | * of supporting developers from this source code or any supporting source code |
||||
7 | * which is considered copyrighted (c) material of the original comment or credit authors. |
||||
8 | * This program is distributed in the hope that it will be useful, |
||||
9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
||||
11 | * |
||||
12 | * @copyright (c) 2000-2016 XOOPS Project (www.xoops.org) |
||||
13 | * @license GNU GPL 2 (https://www.gnu.org/licenses/gpl-2.0.html) |
||||
14 | * @package kernel |
||||
15 | * @subpackage auth |
||||
16 | * @since 2.0 |
||||
17 | * @author Pierre-Eric MENUET <[email protected]> |
||||
18 | */ |
||||
19 | |||||
20 | defined('XOOPS_ROOT_PATH') || exit('Restricted access'); |
||||
21 | |||||
22 | /** |
||||
23 | * |
||||
24 | * @package kernel |
||||
25 | * @subpackage auth |
||||
26 | * @description Authentification class for Active Directory |
||||
27 | * @author Pierre-Eric MENUET <[email protected]> |
||||
28 | * @copyright (c) 2000-2016 XOOPS Project (www.xoops.org) |
||||
29 | */ |
||||
30 | include_once $GLOBALS['xoops']->path('class/auth/auth_ldap.php'); |
||||
31 | |||||
32 | /** |
||||
33 | * XoopsAuthAds |
||||
34 | * |
||||
35 | * @package |
||||
36 | * @author John |
||||
37 | * @copyright (c) 2000-2016 XOOPS Project (www.xoops.org) |
||||
38 | * @access public |
||||
39 | */ |
||||
40 | class XoopsAuthAds extends XoopsAuthLdap |
||||
41 | { |
||||
42 | /** |
||||
43 | * Authentication Service constructor |
||||
44 | * @param XoopsDatabase $dao |
||||
45 | */ |
||||
46 | public function __construct(XoopsDatabase $dao = null) |
||||
47 | { |
||||
48 | parent::__construct($dao); |
||||
49 | } |
||||
50 | |||||
51 | /** |
||||
52 | * Authenticate user again LDAP directory (Bind) |
||||
53 | * 2 options : |
||||
54 | * Authenticate directly with uname in the DN |
||||
55 | * Authenticate with manager, search the dn |
||||
56 | * |
||||
57 | * @param string $uname Username |
||||
58 | * @param string $pwd Password |
||||
59 | * @return bool |
||||
60 | */ |
||||
61 | public function authenticate($uname, $pwd = null) |
||||
62 | { |
||||
63 | $authenticated = false; |
||||
64 | if (!extension_loaded('ldap')) { |
||||
65 | $this->setErrors(0, _AUTH_LDAP_EXTENSION_NOT_LOAD); |
||||
66 | |||||
67 | return $authenticated; |
||||
68 | } |
||||
69 | $this->_ds = ldap_connect($this->ldap_server, $this->ldap_port); |
||||
0 ignored issues
–
show
Bug
introduced
by
Loading history...
|
|||||
70 | if ($this->_ds) { |
||||
71 | ldap_set_option($this->_ds, LDAP_OPT_PROTOCOL_VERSION, $this->ldap_version); |
||||
72 | ldap_set_option($this->_ds, LDAP_OPT_REFERRALS, 0); |
||||
73 | if ($this->ldap_use_TLS) { // We use TLS secure connection |
||||
0 ignored issues
–
show
|
|||||
74 | if (!ldap_start_tls($this->_ds)) { |
||||
75 | $this->setErrors(0, _AUTH_LDAP_START_TLS_FAILED); |
||||
76 | } |
||||
77 | } |
||||
78 | // If the uid is not in the DN we proceed to a search |
||||
79 | // The uid is not always in the dn |
||||
80 | $userUPN = $this->getUPN($uname); |
||||
81 | if (!$userUPN) { |
||||
0 ignored issues
–
show
|
|||||
82 | return false; |
||||
83 | } |
||||
84 | // We bind as user to test the credentials |
||||
85 | $authenticated = ldap_bind($this->_ds, $userUPN, $this->cp1252_to_utf8(stripslashes($pwd))); |
||||
0 ignored issues
–
show
It seems like
$pwd can also be of type null ; however, parameter $string of stripslashes() does only seem to accept string , maybe add an additional type check?
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
Loading history...
|
|||||
86 | if ($authenticated) { |
||||
87 | // We load the Xoops User database |
||||
88 | $dn = $this->getUserDN($uname); |
||||
89 | if ($dn) { |
||||
0 ignored issues
–
show
|
|||||
90 | return $this->loadXoopsUser($dn, $uname, $pwd); |
||||
91 | } else { |
||||
92 | return false; |
||||
93 | } |
||||
94 | } else { |
||||
95 | $this->setErrors(ldap_errno($this->_ds), ldap_err2str(ldap_errno($this->_ds)) . '(' . $userUPN . ')'); |
||||
96 | } |
||||
97 | } else { |
||||
98 | $this->setErrors(0, _AUTH_LDAP_SERVER_NOT_FOUND); |
||||
99 | } |
||||
100 | @ldap_close($this->_ds); |
||||
0 ignored issues
–
show
It seems like you do not handle an error condition for
ldap_close() . This can introduce security issues, and is generally not recommended.
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of
@mkdir($dir);
// Better use
if (@mkdir($dir) === false) {
throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
|
|||||
101 | |||||
102 | return $authenticated; |
||||
103 | } |
||||
104 | |||||
105 | /** |
||||
106 | * Return the UPN = userPrincipalName (Active Directory) |
||||
107 | * userPrincipalName = [email protected] Often abbreviated to UPN, and |
||||
108 | * looks like an email address. Very useful for logging on especially in |
||||
109 | * a large Forest. Note UPN must be unique in the forest. |
||||
110 | * |
||||
111 | * @param $uname |
||||
112 | * |
||||
113 | * @return userDN or false |
||||
0 ignored issues
–
show
The type
userDN was not found. Maybe you did not declare it correctly or list all dependencies?
The issue could also be caused by a filter entry in the build configuration.
If the path has been excluded in your configuration, e.g. filter:
dependency_paths: ["lib/*"]
For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths
Loading history...
|
|||||
114 | */ |
||||
115 | public function getUPN($uname) |
||||
116 | { |
||||
117 | $userDN = $uname . '@' . $this->ldap_domain_name; |
||||
0 ignored issues
–
show
|
|||||
118 | |||||
119 | return $userDN; |
||||
0 ignored issues
–
show
|
|||||
120 | } |
||||
121 | } // end class |
||||
122 | |||||
123 |