Merge changes I4738d809,I151fe4f9,Ic3571a96

* changes: Sanitize personal details coming from LDAP server (bug #888840) Refactor firstname, lastname, email validation into functions Remove lies in comment

Merge changes I4738d809,I151fe4f9,Ic3571a96
* changes: Sanitize personal details coming from LDAP server (bug #888840) Refactor firstname, lastname, email validation into functions Remove lies in comment
852c9aa7 · Francois Marier · Gerrit Code Review · ed48acb7 · 46189cc1 · 852c9aa7
Commit 852c9aa7 authored Nov 14, 2011 by Francois Marier Committed by Gerrit Code Review Nov 14, 2011
--- a/htdocs/admin/users/add.php
+++ b/htdocs/admin/users/add.php
@@ -186,9 +186,9 @@ function adduser_validate(Pieform $form, $values) {
    }

    $username  = $values['username'];
-    $firstname = $values['firstname'];
-    $lastname  = $values['lastname'];
-    $email     = $values['email'];
+    $firstname = sanitize_firstname($values['firstname']);
+    $lastname  = sanitize_lastname($values['lastname']);
+    $email     = sanitize_email($values['email']);
    $password  = $values['password'];

    if ($USER->get('admin') || get_config_plugin('artefact', 'file', 'institutionaloverride')) {
@@ -256,16 +256,15 @@ function adduser_validate(Pieform $form, $values) {
        }
    }
    else {
-        if (!$form->get_error('firstname') && !preg_match('/\S/', $firstname)) {
+        if (!$form->get_error('firstname') && empty($firstname)) {
            $form->set_error('firstname', $form->i18n('rule', 'required', 'required'));
        }
-        if (!$form->get_error('lastname') && !preg_match('/\S/', $lastname)) {
+        if (!$form->get_error('lastname') && empty($lastname)) {
            $form->set_error('lastname', $form->i18n('rule', 'required', 'required'));
        }

        if (!$form->get_error('email')) {
-            require_once('phpmailer/class.phpmailer.php');
-            if (!$form->get_error('email') && !PHPMailer::ValidateAddress($email)) {
+            if (!$form->get_error('email') && empty($email)) {
                $form->set_error('email', get_string('invalidemailaddress', 'artefact.internal'));
            }


--- a/htdocs/auth/ldap/lib.php
+++ b/htdocs/auth/ldap/lib.php
@@ -77,7 +77,7 @@ class AuthLdap extends Auth {
    /**
     * Attempt to authenticate user
     *
-     * @param string $user The username to authenticate with
+     * @param string $user     The user record to authenticate with
     * @param string $password The password being used for authentication
     * @return bool            True/False based on whether the user
     *                         authenticated successfully
@@ -132,9 +132,11 @@ class AuthLdap extends Auth {
                    // Match database and ldap entries and update in database if required
                    $fieldstoimport = array('firstname', 'lastname', 'email');
                    foreach ($fieldstoimport as $field) {
+                        $sanitizer = "sanitize_$field";
+                        $ldapdetails[$field] = $sanitizer($ldapdetails[$field]);
                        if (!empty($ldapdetails[$field]) && ($user->$field != $ldapdetails[$field])) {
                            $user->$field = $ldapdetails[$field];
-                            set_profile_field($user->id, $field, $user->$field);
+                            set_profile_field($user->id, $field, $ldapdetails[$field]);
                        }
                    }
               }

--- a/htdocs/auth/lib.php
+++ b/htdocs/auth/lib.php
@@ -1225,13 +1225,13 @@ function login_submit(Pieform $form, $values) {
                // We have the data - create the user
                $USER->lastlogin = db_format_timestamp(time());
                if (isset($userdata->firstname)) {
-                    $USER->firstname = $userdata->firstname;
+                    $USER->firstname = sanitize_firstname($userdata->firstname);
                }
                if (isset($userdata->lastname)) {
-                    $USER->lastname = $userdata->lastname;
+                    $USER->lastname = sanitize_firstname($userdata->lastname);
                }
                if (isset($userdata->email)) {
-                    $USER->email = $userdata->email;
+                    $USER->email = sanitize_email($userdata->email);
                }
                else {
                    // The user will be asked to populate this when they log in.

--- a/htdocs/lib/mahara.php
+++ b/htdocs/lib/mahara.php
@@ -2886,3 +2886,24 @@ function is_html_editor_enabled () {
 function is_https() {
    return stripos(get_config('wwwroot'), 'https://') !== false;
 }
+
+function sanitize_email($value) {
+    if (filter_var($value, FILTER_VALIDATE_EMAIL) === false) {
+        return '';
+    }
+    return $value;
+}
+
+function sanitize_firstname($value) {
+    if (!preg_match('/\S/', $value)) {
+        return '';
+    }
+    return $value;
+}
+
+function sanitize_lastname($value) {
+    if (!preg_match('/\S/', $value)) {
+        return '';
+    }
+    return $value;
+}