From 3b4df7f1c34e1403d8d8f24b8c3c0933802ce011 Mon Sep 17 00:00:00 2001 From: Thomas Lake Date: Fri, 31 Dec 2021 15:55:58 +0000 Subject: [PATCH 1/2] Update History.txt --- static/About/History.txt | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/static/About/History.txt b/static/About/History.txt index 2f63f32..b4135b4 100644 --- a/static/About/History.txt +++ b/static/About/History.txt @@ -13,14 +13,22 @@ Gaming +

2019

+colours (Declan Morbey) +elbows (Laurence Sebastian Bowes) +mr_miyagi_420 (Rafal Gajewski) +vectre (Alexander Moras) +mpg (Maxwell Michael Gisborne) + + -

2018

+

2018

-vectre (Alexander Moras) -elbows (Laurence Sebastian Bowes) -xray_effect (Ryan Williams) -None -arcryalis (Hywel Williams) +vectre (Alexander Moras) +elbows (Laurence Sebastian Bowes) +xray_effect (Ryan Williams) +None +arcryalis (Gwen Williams) @@ -280,4 +288,4 @@ -

In 2001, the elections were moved so that the committee now stays in position for one calendar year.

\ No newline at end of file +

In 2001, the elections were moved so that the committee now stays in position for one calendar year.

-- GitLab From 7c7c9c2071a953f8b63b04f26d1cba932b0734f5 Mon Sep 17 00:00:00 2001 From: Imran Hussain Date: Thu, 4 May 2023 20:43:52 +0100 Subject: [PATCH 2/2] [login] filter out everything but A-Z a-z 0-9 . - _ from username --- lib/ldap-auth.php | 57 ++++++++++++++++++++++++++--------------------- lib/session.php | 10 ++++++++- 2 files changed, 41 insertions(+), 26 deletions(-) diff --git a/lib/ldap-auth.php b/lib/ldap-auth.php index bdf5656..10bb2f2 100644 --- a/lib/ldap-auth.php +++ b/lib/ldap-auth.php @@ -12,7 +12,7 @@ will return "nope" if the user/pass passed is inavlid Example usage: -include_once("ldap-auth.php"); +require "ldap-auth.php"; isAuthd = ldapAuth("usaername", "password"); @@ -29,6 +29,8 @@ if (isAuthd == "sucs"){ // we don't care about warnings, we write our own error_reporting(E_ERROR | E_PARSE); +define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032); + function ldapAuth($username, $password) { @@ -45,24 +47,29 @@ function ldapAuth($username, $password) $username = implode("@", $s); } + // filter out everything but A-Z a-z 0-9 . - _ from username + $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $username); + + // if safeusername isn't the same as username just error out + if ($safeusername != $username) { + return "nope"; + } + // ldap servers $sucsLDAPServer = 'silver.sucs.swan.ac.uk'; - $lisLDAPServer = 'ccs-suld1.swan.ac.uk'; - - // lis auth stuffs - $lisUsernameOu = substr($username, -1); - $lisOtherOu = "Moved"; + $issLDAPServer = '192.168.10.16'; // how to bind - $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org"; - $lisBindDn1 = "cn=$username,ou=$lisUsernameOu,ou=Students,ou=SWANSEA,o=SWANUNI"; - $lisBindDn2 = "cn=$username,ou=$lisOtherOu,ou=Students,ou=SWANSEA,o=SWANUNI"; + $sucsBindDn = "uid=$safeusername,ou=People,dc=sucs,dc=org"; + $issBindDn = "cn=$safeusername,ou=Students,ou=Active,ou=Resources,o=Swansea"; // Main auth // Try and connect to silver $ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server."); + ldap_set_option($ldapconnSUCS,LDAP_OPT_PROTOCOL_VERSION,3); + if ($ldapconnSUCS) { //echo "Connected to $sucsLDAPServer
"; @@ -73,28 +80,28 @@ function ldapAuth($username, $password) if ($ldapbindSUCS) { //echo "Auth'd as $username using SUCS LDAP
"; return "sucs"; - // turns out they didn't give us valid sucs creds, lets try lis now + // turns out they didn't give us valid sucs creds, lets try iss now } else { - // try and connect to the lis ldap server - $ldapconnLIS = ldap_connect($lisLDAPServer) or die("Could not connect to uni LDAP server."); - //echo "Connected to $lisLDAPServer
"; + // try and connect to the iss ldap server + $ldapconnISS = ldap_connect($issLDAPServer) or die("Could not connect to uni LDAP server."); + // echo "Connected to $issLDAPServer
"; + + ldap_set_option($ldapconnISS,LDAP_OPT_PROTOCOL_VERSION,3); // lets try and bind to the uni ldap - $ldapbindLIS1 = ldap_bind($ldapconnLIS, $lisBindDn1, $password); - if ($ldapbindLIS1) { - //echo "Auth'd as $username using uni LDAP using ou=$lisUsernameOu
"; + $ldapbindiss = ldap_bind($ldapconnISS, $issBindDn, $password); + + /*if (ldap_get_option($ldapconnISS, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) { + echo "Error Binding to LDAP: $extended_error"; + }*/ + + if ($ldapbindiss) { + //echo "Auth'd as $username using uni LDAP using ou=$issUsernameOu
"; return "uni"; } else { - $ldapbindLIS2 = ldap_bind($ldapconnLIS, $lisBindDn2, $password); - if ($ldapbindLIS2) { - //echo "Auth'd as $username using uni LDAP using ou=moved
"; - return "uni"; - // shit, couldn't bind to anything - } else { - //exit("Invalid Username or Password"); - return "nope"; - } + //exit("Invalid Username or Password"); + return "nope"; } } } diff --git a/lib/session.php b/lib/session.php index 00b472b..243e012 100644 --- a/lib/session.php +++ b/lib/session.php @@ -116,7 +116,15 @@ class Session // Is this a login attempt ? if ($submit != '' && $session_user != '' && $session_pass != '') { - $this->session_init($session_user, $session_pass); + // filter out everything but A-Z a-z 0-9 . - _ from username + $safeusername = preg_replace("/[^A-Za-z0-9\.\-\_]/", '', $session_user); + if ($safeusername != $session_user) { + trigger_error("Invalid username", E_USER_NOTICE); + $this->newsession(); + return; + } elseif ($safeusername == $session_user) { + $this->session_init($safeusername, $session_pass); + } } // Retrieve session information -- GitLab