diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2010-11-29 17:39:46 -0500 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2010-11-29 17:39:46 -0500 |
commit | 9ae11a629d6693e0a66059a30fedb3534fcca721 (patch) | |
tree | f04c556e169b65db109fb312c06dae85ed89a2ef /etc/inc/auth.inc | |
parent | ef17372492fb3d271497160a816eba64b3bcf436 (diff) | |
download | pfsense-9ae11a629d6693e0a66059a30fedb3534fcca721.zip pfsense-9ae11a629d6693e0a66059a30fedb3534fcca721.tar.gz |
Revert "Add Active Directory group membership checking Ticket #1009"
This reverts commit ef17372492fb3d271497160a816eba64b3bcf436.
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 161 |
1 files changed, 78 insertions, 83 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 9e3d2a9..1214d17 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -61,31 +64,90 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ $http_host = $_SERVER['HTTP_HOST']; } if(is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or - $http_host == "localhost" or $_SERVER['SERVER_ADDR'] == "localhost") + strcasecmp($http_host, "localhost") == 0) + $found_host = true; + if(strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or + strcasecmp($http_host, $config['system']['hostname']) == 0) $found_host = true; - if($config['dyndnses']['dyndns']) + + if(is_array($config['dyndnses']['dyndns']) && !$found_host) foreach($config['dyndnses']['dyndns'] as $dyndns) - if($dyndns['host'] == $http_host or $dyndns['host'] == $_SERVER['SERVER_ADDR']) + if(strcasecmp($dyndns['host'], $http_host) == 0) { $found_host = true; + break; + } - if(!empty($config['system']['webgui']['althostnames'])) { + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { $althosts = explode(" ", $config['system']['webgui']['althostnames']); foreach ($althosts as $ah) - if($ah == $http_host or $ah == $_SERVER['SERVER_ADDR']) + if(strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) { $found_host = true; + break; + } } - if($http_host == $config['system']['hostname'] . "." . $config['system']['domain'] or - $http_host == $_SERVER['SERVER_ADDR'] or - $http_host == $config['system']['hostname']) - $found_host = true; + if($found_host == false) { + if(!security_checks_disabled()) { + display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + exit; + } + $security_passed = false; + } +} +// If the HTTP_REFERER is something other than ourselves then disallow. +if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { + if($_SERVER['HTTP_REFERER']) { + if(file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) { + if($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) { + unlink("{$g['tmp_path']}/setupwizard_lastreferrer"); + header("Refresh: 1; url=index.php"); + echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">"; + echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>"; + exit; + } + } + $found_host = false; + $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); + if($referrer_host) { + if(strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 + || strcasecmp($referrer_host, $config['system']['hostname']) == 0) + $found_host = true; + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if(strcasecmp($referrer_host, $ah) == 0) { + $found_host = true; + break; + } + } + } + if(!$found_host) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($referrer_host, $ilips) == 0) { + $found_host = true; + break; + } + } + } + } if($found_host == false) { - display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); exit; } + $security_passed = false; + } + } else + $security_passed = false; } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); @@ -449,6 +511,7 @@ function local_user_set_groups($user, $new_groups = NULL ) { $group['member'][] = $user['uid']; $mod_groups[] = $group; } + unset($group); /* determine which memberships to remove */ foreach ($cur_groups as $groupname) { @@ -463,6 +526,7 @@ function local_user_set_groups($user, $new_groups = NULL ) { $mod_groups[] = $group; } } + unset($group); /* sync all modified groups */ foreach ($mod_groups as $group) @@ -928,28 +992,6 @@ function ldap_backed($username, $passwd, $authcfg) { /*****************************************************************/ log_error("Now Searching for {$username} in directory."); /* Iterate through the user containers for search */ - /* check if the entire sting contains CN= since it will we a group except CN=Users. */ - /* replace known default containers to be sure we find only groups */ - $templdapauthcont=str_ireplace("CN=Users","####",$ldapauthcont); - $templdapauthcont=str_ireplace("CN=Builtin","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=Computers","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=ForeignSecurityPrincipals","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=Managed Service Accounts","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=NTDS Quotas","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=Program Data","####",$templdapauthcont); - $templdapauthcont=str_ireplace("CN=System","####",$templdapauthcont); - if ( stristr($templdapauthcont,"CN=") ){ - log_error("The container string contains at least one group, we need to find user DN now"); - $searchUser = ldap_search($ldap,$ldapbasedn,$ldapfilter); - $infoUser = ldap_get_entries($ldap,$searchUser); - if ( $infoUser['count'] == 0 ){ - log_error("User does not exists"); - return false; - }else{ - log_error("User found"); - $userDN = $infoUser[0]['distinguishedname'][0]; - } - } foreach ($ldac_splits as $i => $ldac_split) { /* Make sure we just use the first user we find */ log_error("Now Searching in server {$ldapname}, container {$ldac_split} with filter {$ldapfilter}."); @@ -958,57 +1000,10 @@ function ldap_backed($username, $passwd, $authcfg) { else $ldapfunc = "ldap_search"; /* Support legacy auth container specification. */ - if (stristr($ldac_split, "DC=")){ - $baseDN = $ldac_split; - }else{ - $baseDN = $ldac_split.",".$ldapbasedn; - } - if (stristr($ldac_split, "CN=")){ - $searchGroup = ldap_search($ldap,$ldapbasedn,"(&(objectclass=group)(distinguishedname={$baseDN}))"); - $infoGroup = ldap_get_entries($ldap,$searchGroup); - if ($infoGroup['count'] == 1){ - log_error("We found the group"); - if( $infoGroup[0]['member']['count'] == 0){ - /* group is empty */ - log_error("group is empty"); - continue; - } - if( $infoGroup[0]['member']['count'] == 1){ - /*group has only one member*/ - log_error("group has only one member"); - if ( strcasecmp($userDN,$infoGroup[0]['member'][0]) == 0 ){ - $userdn = $userDN; - $_SESSION['ldapou'] = $ldac_split[$i]; - $_SESSION['ldapon'] = "true"; - $usercount = 1; - break; - }else{ - continue; - } - }else{ - /*Group has more than one member*/ - log_error("group has more than one member"); - foreach ($infoGroup[0]['member'] as $j => $memberDN){ - if ( strcasecmp($userDN,$memberDN) == 0 ){ - log_error("User is a member of the group"); - $userdn = $_SESSION['ldapdn'] = $userDN; - $_SESSION['ldapou'] = $ldac_split; - $_SESSION['ldapon'] = "true"; - $usercount = 1; - break; - }else{ - continue; - } - } - } - } - if ( $usercount == 1 ){ - break; - } - }else{ - /* Normal container, OU or builtin*/ - $search = @$ldapfunc($ldap,$baseDN,$ldapfilter); - } + if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) + $search = @$ldapfunc($ldap,$ldac_split,$ldapfilter); + else + $search = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter); if (!$search) { log_error("Search resulted in error: " . ldap_error($ldap)); continue; |