Browse Source

#2709 validate username attribute fetched from LDAP

pull/3138/merge
Unknwon 9 years ago
parent
commit
a752f09055
  1. 2
      cmd/web.go
  2. 4
      glide.lock
  3. 38
      models/login.go
  4. 14
      modules/auth/ldap/ldap.go

2
cmd/web.go

@ -79,7 +79,7 @@ func checkVersion() {
// Check dependency version. // Check dependency version.
checkers := []VerChecker{ checkers := []VerChecker{
{"github.com/go-xorm/xorm", func() string { return xorm.Version }, "0.5.5.0711"}, {"github.com/go-xorm/xorm", func() string { return xorm.Version }, "0.5.5.0711"},
{"github.com/go-macaron/binding", binding.Version, "0.2.1"}, {"github.com/go-macaron/binding", binding.Version, "0.3.2"},
{"github.com/go-macaron/cache", cache.Version, "0.1.2"}, {"github.com/go-macaron/cache", cache.Version, "0.1.2"},
{"github.com/go-macaron/csrf", csrf.Version, "0.1.0"}, {"github.com/go-macaron/csrf", csrf.Version, "0.1.0"},
{"github.com/go-macaron/i18n", i18n.Version, "0.3.0"}, {"github.com/go-macaron/i18n", i18n.Version, "0.3.0"},

4
glide.lock generated

@ -8,7 +8,7 @@ imports:
- name: github.com/codegangsta/cli - name: github.com/codegangsta/cli
version: 1efa31f08b9333f1bd4882d61f9d668a70cd902e version: 1efa31f08b9333f1bd4882d61f9d668a70cd902e
- name: github.com/go-macaron/binding - name: github.com/go-macaron/binding
version: bd00823a7e9aa00cb3b1738fde244573ba7cce2c version: 9440f336b443056c90d7d448a0a55ad8c7599880
- name: github.com/go-macaron/cache - name: github.com/go-macaron/cache
version: 56173531277692bc2925924d51fda1cd0a6b8178 version: 56173531277692bc2925924d51fda1cd0a6b8178
subpackages: subpackages:
@ -43,7 +43,7 @@ imports:
- name: github.com/gogits/git-module - name: github.com/gogits/git-module
version: db93fa550116997bbe0b62baa653b8e6f4135258 version: db93fa550116997bbe0b62baa653b8e6f4135258
- name: github.com/gogits/go-gogs-client - name: github.com/gogits/go-gogs-client
version: 872cf281aac97429da02b6cdea942c9388eb65fb version: ee68cd9eefff11615f336e9965762f6736eeecc8
- name: github.com/issue9/identicon - name: github.com/issue9/identicon
version: d36b54562f4cf70c83653e13dc95c220c79ef521 version: d36b54562f4cf70c83653e13dc95c220c79ef521
- name: github.com/jaytaylor/html2text - name: github.com/jaytaylor/html2text

38
models/login.go

@ -15,6 +15,7 @@ import (
"time" "time"
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/go-macaron/binding"
"github.com/go-xorm/core" "github.com/go-xorm/core"
"github.com/go-xorm/xorm" "github.com/go-xorm/xorm"
@ -280,7 +281,7 @@ func DeleteSource(source *LoginSource) error {
func LoginUserLDAPSource(u *User, loginName, passwd string, source *LoginSource, autoRegister bool) (*User, error) { func LoginUserLDAPSource(u *User, loginName, passwd string, source *LoginSource, autoRegister bool) (*User, error) {
cfg := source.Cfg.(*LDAPConfig) cfg := source.Cfg.(*LDAPConfig)
directBind := (source.Type == LOGIN_DLDAP) directBind := (source.Type == LOGIN_DLDAP)
name, fn, sn, mail, admin, logged := cfg.SearchEntry(loginName, passwd, directBind) username, fn, sn, mail, isAdmin, logged := cfg.SearchEntry(loginName, passwd, directBind)
if !logged { if !logged {
// User not in LDAP, do nothing // User not in LDAP, do nothing
return nil, ErrUserNotExist{0, loginName} return nil, ErrUserNotExist{0, loginName}
@ -291,37 +292,42 @@ func LoginUserLDAPSource(u *User, loginName, passwd string, source *LoginSource,
} }
// Fallback. // Fallback.
if len(name) == 0 { if len(username) == 0 {
name = loginName username = loginName
} }
// Validate username make sure it satisfies requirement.
if !binding.AlphaDashDotPattern.MatchString(username) {
return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", username)
}
if len(mail) == 0 { if len(mail) == 0 {
mail = fmt.Sprintf("%s@localhost", name) mail = fmt.Sprintf("%s@localhost", username)
} }
u = &User{ u = &User{
LowerName: strings.ToLower(name), LowerName: strings.ToLower(username),
Name: name, Name: username,
FullName: composeFullName(fn, sn, name), FullName: composeFullName(fn, sn, username),
LoginType: source.Type, LoginType: source.Type,
LoginSource: source.ID, LoginSource: source.ID,
LoginName: loginName, LoginName: loginName,
Email: mail, Email: mail,
IsAdmin: admin, IsAdmin: isAdmin,
IsActive: true, IsActive: true,
} }
return u, CreateUser(u) return u, CreateUser(u)
} }
func composeFullName(firstName, surename, userName string) string { func composeFullName(firstname, surname, username string) string {
switch { switch {
case len(firstName) == 0 && len(surename) == 0: case len(firstname) == 0 && len(surname) == 0:
return userName return username
case len(firstName) == 0: case len(firstname) == 0:
return surename return surname
case len(surename) == 0: case len(surname) == 0:
return firstName return firstname
default: default:
return firstName + " " + surename return firstname + " " + surname
} }
} }

14
modules/auth/ldap/ldap.go

@ -210,12 +210,12 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
return "", "", "", "", false, false return "", "", "", "", false, false
} }
username_attr := sr.Entries[0].GetAttributeValue(ls.AttributeUsername) username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName) firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)
sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname) surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail) mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
admin_attr := false isAdmin := false
if len(ls.AdminFilter) > 0 { if len(ls.AdminFilter) > 0 {
log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN) log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
search = ldap.NewSearchRequest( search = ldap.NewSearchRequest(
@ -229,7 +229,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
} else if len(sr.Entries) < 1 { } else if len(sr.Entries) < 1 {
log.Error(4, "LDAP Admin Search failed") log.Error(4, "LDAP Admin Search failed")
} else { } else {
admin_attr = true isAdmin = true
} }
} }
@ -241,5 +241,5 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
} }
} }
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true return username, firstname, surname, mail, isAdmin, true
} }

Loading…
Cancel
Save