Commit 46189cc1 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Sanitize personal details coming from LDAP server (bug #888840)



Change-Id: I4738d80982c7c0679e165c8ae930c7783ea218a3
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 22386183
...@@ -132,9 +132,11 @@ class AuthLdap extends Auth { ...@@ -132,9 +132,11 @@ class AuthLdap extends Auth {
// Match database and ldap entries and update in database if required // Match database and ldap entries and update in database if required
$fieldstoimport = array('firstname', 'lastname', 'email'); $fieldstoimport = array('firstname', 'lastname', 'email');
foreach ($fieldstoimport as $field) { foreach ($fieldstoimport as $field) {
$sanitizer = "sanitize_$field";
$ldapdetails[$field] = $sanitizer($ldapdetails[$field]);
if (!empty($ldapdetails[$field]) && ($user->$field != $ldapdetails[$field])) { if (!empty($ldapdetails[$field]) && ($user->$field != $ldapdetails[$field])) {
$user->$field = $ldapdetails[$field]; $user->$field = $ldapdetails[$field];
set_profile_field($user->id, $field, $user->$field); set_profile_field($user->id, $field, $ldapdetails[$field]);
} }
} }
} }
......
...@@ -1225,13 +1225,13 @@ function login_submit(Pieform $form, $values) { ...@@ -1225,13 +1225,13 @@ function login_submit(Pieform $form, $values) {
// We have the data - create the user // We have the data - create the user
$USER->lastlogin = db_format_timestamp(time()); $USER->lastlogin = db_format_timestamp(time());
if (isset($userdata->firstname)) { if (isset($userdata->firstname)) {
$USER->firstname = $userdata->firstname; $USER->firstname = sanitize_firstname($userdata->firstname);
} }
if (isset($userdata->lastname)) { if (isset($userdata->lastname)) {
$USER->lastname = $userdata->lastname; $USER->lastname = sanitize_firstname($userdata->lastname);
} }
if (isset($userdata->email)) { if (isset($userdata->email)) {
$USER->email = $userdata->email; $USER->email = sanitize_email($userdata->email);
} }
else { else {
// The user will be asked to populate this when they log in. // The user will be asked to populate this when they log in.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment