Add the 'D'-modifier to all regex'es that match the full string.
By default '$' matches end of string, or newline at end of string, which made it possible to add a trailing newline to some strings that shouldn't have it. As far as I can tell, none of the errors presented a security problem. git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@2183 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
b78dd1225e
commit
798de8b59d
|
@ -335,7 +335,7 @@ class SimpleSAML_Configuration {
|
|||
|
||||
|
||||
public function getBaseURL() {
|
||||
if (preg_match('/^\*(.*)$/', $this->getString('baseurlpath', 'simplesaml/'), $matches)) {
|
||||
if (preg_match('/^\*(.*)$/D', $this->getString('baseurlpath', 'simplesaml/'), $matches)) {
|
||||
return SimpleSAML_Utilities::getFirstPathElement(false) . $matches[1];
|
||||
}
|
||||
|
||||
|
|
|
@ -472,7 +472,7 @@ class SimpleSAML_Utilities {
|
|||
assert('is_null($timestamp) || is_int($timestamp)');
|
||||
|
||||
/* Parse the duration. We use a very strict pattern. */
|
||||
$durationRegEx = '#^(-?)P(?:(?:(?:(\\d+)Y)?(?:(\\d+)M)?(?:(\\d+)D)?(?:T(?:(\\d+)H)?(?:(\\d+)M)?(?:(\\d+)S)?)?)|(?:(\\d+)W))$#';
|
||||
$durationRegEx = '#^(-?)P(?:(?:(?:(\\d+)Y)?(?:(\\d+)M)?(?:(\\d+)D)?(?:T(?:(\\d+)H)?(?:(\\d+)M)?(?:(\\d+)S)?)?)|(?:(\\d+)W))$#D';
|
||||
if (!preg_match($durationRegEx, $duration, $matches)) {
|
||||
throw new Exception('Invalid ISO 8601 duration: ' . $duration);
|
||||
}
|
||||
|
|
|
@ -252,7 +252,7 @@ class SimpleSAML_XHTML_Template {
|
|||
}
|
||||
|
||||
/* Check whether we should use the default dictionary or a dictionary specified in the tag. */
|
||||
if(substr($tag, 0, 1) === '{' && preg_match('/^{((?:\w+:)?\w+?):(.*)}$/', $tag, $matches)) {
|
||||
if(substr($tag, 0, 1) === '{' && preg_match('/^{((?:\w+:)?\w+?):(.*)}$/D', $tag, $matches)) {
|
||||
$dictionary = $matches[1];
|
||||
$tag = $matches[2];
|
||||
} else {
|
||||
|
|
|
@ -91,7 +91,7 @@ function storeTicket($ticket, $path, &$value ) {
|
|||
|
||||
function retrieveTicket($ticket, $path) {
|
||||
|
||||
if (!preg_match('/^_?[a-zA-Z0-9]+$/', $ticket)) throw new Exception('Invalid characters in ticket');
|
||||
if (!preg_match('/^_?[a-zA-Z0-9]+$/D', $ticket)) throw new Exception('Invalid characters in ticket');
|
||||
|
||||
if (!is_dir($path))
|
||||
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. ');
|
||||
|
|
|
@ -72,7 +72,7 @@ function storeTicket($ticket, $path, &$value ) {
|
|||
|
||||
function retrieveTicket($ticket, $path) {
|
||||
|
||||
if (!preg_match('/^_?[a-zA-Z0-9]+$/', $ticket)) throw new Exception('Invalid characters in ticket');
|
||||
if (!preg_match('/^_?[a-zA-Z0-9]+$/D', $ticket)) throw new Exception('Invalid characters in ticket');
|
||||
|
||||
if (!is_dir($path))
|
||||
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. ');
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<?php
|
||||
|
||||
function logFilter($objFile, $tag, $cut){
|
||||
if (!preg_match('/^[a-f0-9]{10}$/', $tag)) throw new Exception('Invalid search tag');
|
||||
if (!preg_match('/^[a-f0-9]{10}$/D', $tag)) throw new Exception('Invalid search tag');
|
||||
|
||||
$i = 0;
|
||||
$results = array();
|
||||
|
|
|
@ -67,7 +67,7 @@ if (array_key_exists('protocol', $_GET)) {
|
|||
$attr_test = array();
|
||||
|
||||
foreach ($_GET as $k => $v) {
|
||||
if(preg_match('/^attr_test(?:_\d+)?$/', $k)) {
|
||||
if(preg_match('/^attr_test(?:_\d+)?$/D', $k)) {
|
||||
$pos = strpos($v, ':');
|
||||
if($pos === FALSE) {
|
||||
error('Invalid attribute test: $v');
|
||||
|
|
|
@ -121,7 +121,7 @@ if (isset($_REQUEST['username'])) {
|
|||
/*
|
||||
* Checking username parameter for illegal characters.
|
||||
*/
|
||||
if (!preg_match('/^[a-z0-9._]+(@[a-z0-9._]+)?$/', $requestedUser) )
|
||||
if (!preg_match('/^[a-z0-9._]+(@[a-z0-9._]+)?$/D', $requestedUser) )
|
||||
throw new Exception('Illegal characters in (or empty) username.');
|
||||
|
||||
/*
|
||||
|
@ -143,7 +143,7 @@ if (isset($_REQUEST['username'])) {
|
|||
$requestedOrg = strtolower($_REQUEST['org']);
|
||||
}
|
||||
|
||||
if (!preg_match('/^[a-z0-9.]*$/', $requestedOrg) )
|
||||
if (!preg_match('/^[a-z0-9.]*$/D', $requestedOrg) )
|
||||
throw new Exception('Illegal characters in organization.');
|
||||
|
||||
if (!array_key_exists($requestedOrg, $ldaporgconfig))
|
||||
|
@ -159,7 +159,7 @@ if (isset($_REQUEST['username'])) {
|
|||
|
||||
$password = $_REQUEST['password'];
|
||||
|
||||
if (!preg_match('/^[a-zA-Z0-9.]+$/', $password) )
|
||||
if (!preg_match('/^[a-zA-Z0-9.]+$/D', $password) )
|
||||
throw new Exception('Illegal characters in password.');
|
||||
|
||||
/*
|
||||
|
|
|
@ -129,7 +129,7 @@ try {
|
|||
throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
|
||||
}
|
||||
|
||||
if (preg_match('#\.php$#', $path)) {
|
||||
if (preg_match('#\.php$#D', $path)) {
|
||||
/* PHP file - attempt to run it. */
|
||||
$_SERVER['SCRIPT_NAME'] .= '/' . $module . '/' . $url;
|
||||
require($path);
|
||||
|
@ -140,7 +140,7 @@ try {
|
|||
|
||||
/* Find MIME type for file, based on extension. */
|
||||
$contentType = NULL;
|
||||
if (preg_match('#\.([^/]+)$#', $path, $type)) {
|
||||
if (preg_match('#\.([^/]+)$#D', $path, $type)) {
|
||||
$type = strtolower($type[1]);
|
||||
if (array_key_exists($type, $mimeTypes)) {
|
||||
$contentType = $mimeTypes[$type];
|
||||
|
|
Reference in New Issue