filter out everything but A-Z a-z 0-9 . - _ from username

85884a6c · Imran Hussain · 9c8e7ad0 · 85884a6c
Commit 85884a6c authored 1 year ago by Imran Hussain
--- a/ldap-auth.php
+++ b/ldap-auth.php
@@ -47,13 +47,21 @@ function ldapAuth($username, $password)
            $username = implode("@", $s);
        }

+        // filter out everything but A-Z a-z 0-9 . - _ from username
+        $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username);
+
+        // if safeusername isn't the same as username just error out
+        if ($safeusername != $username) {
+            return "nope";
+        }
+
        // ldap servers
        $sucsLDAPServer = 'silver.sucs.swan.ac.uk';
        $issLDAPServer = '192.168.10.16';

        // how to bind
-        $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org";
-        $issBindDn = "cn=$username,ou=Students,ou=Active,ou=Resources,o=Swansea";
+        $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org";
+        $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea";

        // Main auth