mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prevent credentials from being leaked in backtrace in some instances (#9817)

Browse Source 
* Prevent credentials from being leak in backtrace in some instances
Particularly before the user is authenticated

* fix test
This commit is contained in:
Tony Murray
2019-03-05 00:24:14 -06:00
committed by GitHub
parent e17f47a329
commit f4a33c1a34
15 changed files with 146 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
LibreNMS/Authentication/LdapAuthorizer.php
View File

@@ -10,12 +10,13 @@ class LdapAuthorizer extends AuthorizerBase
{
protected $ldap_connection;
public function authenticate($username, $password)
public function authenticate($credentials)
{
$connection = $this->getLdapConnection(true);
if ($username) {
if ($password && ldap_bind($connection, $this->getFullDn($username), $password)) {
if (!empty($credentials['username'])) {
$username = $credentials['username'];
if (!empty($credentials['password']) && ldap_bind($connection, $this->getFullDn($username), $credentials['password'])) {
$ldap_groups = $this->getGroupList();
if (empty($ldap_groups)) {
// no groups, don't check membership
@@ -44,7 +45,7 @@ class LdapAuthorizer extends AuthorizerBase
}
}
if (!isset($password) || $password == '') {
if (empty($credentials['password'])) {
throw new AuthenticationException('A password is required');
}
@@ -321,7 +322,7 @@ class LdapAuthorizer extends AuthorizerBase
}
}
public function bind($username = null, $password = null)
public function bind($credentials)
{
if (Config::get('auth_ldap_debug')) {
ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
@@ -329,11 +330,14 @@ class LdapAuthorizer extends AuthorizerBase
$this->connect();
$username = $credentials['username'] ?? null;
$password = $credentials['password'] ?? null;
if ((Config::has('auth_ldap_binduser') || Config::has('auth_ldap_binddn')) && Config::has('auth_ldap_bindpassword')) {
$username = Config::get('auth_ldap_binddn', $this->getFullDn(Config::get('auth_ldap_binduser')));
$password = Config::get('auth_ldap_bindpassword');
} elseif ($username) {
$username = $this->getFullDn($username);
} elseif (!empty($credentials['username'])) {
$username = $this->getFullDn($credentials['username']);
}
// With specified bind user