entrouvert
/
simplesamlphp
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Add the 'D'-modifier to all regex'es that match the full string. 

By default '$' matches end of string, or newline at end of string,
which made it possible to add a trailing newline to some strings that
shouldn't have it.

As far as I can tell, none of the errors presented a security problem.

git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@2183 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
olavmrk 2010-02-16 12:21:51 +00:00
parent b78dd1225e
commit 798de8b59d
9 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/SimpleSAML/Configuration.php
View File

@ -335,7 +335,7 @@ class SimpleSAML_Configuration {
public function getBaseURL() {
if (preg_match('/^\*(.*)$/', $this->getString('baseurlpath', 'simplesaml/'), $matches)) {
if (preg_match('/^\*(.*)$/D', $this->getString('baseurlpath', 'simplesaml/'), $matches)) {
return SimpleSAML_Utilities::getFirstPathElement(false) . $matches[1];
}

2
lib/SimpleSAML/Utilities.php
View File

@ -472,7 +472,7 @@ class SimpleSAML_Utilities {
assert('is_null($timestamp) || is_int($timestamp)');
/* Parse the duration. We use a very strict pattern. */
$durationRegEx = '#^(-?)P(?:(?:(?:(\\d+)Y)?(?:(\\d+)M)?(?:(\\d+)D)?(?:T(?:(\\d+)H)?(?:(\\d+)M)?(?:(\\d+)S)?)?)|(?:(\\d+)W))$#';
$durationRegEx = '#^(-?)P(?:(?:(?:(\\d+)Y)?(?:(\\d+)M)?(?:(\\d+)D)?(?:T(?:(\\d+)H)?(?:(\\d+)M)?(?:(\\d+)S)?)?)|(?:(\\d+)W))$#D';
if (!preg_match($durationRegEx, $duration, $matches)) {
throw new Exception('Invalid ISO 8601 duration: ' . $duration);
}

2
lib/SimpleSAML/XHTML/Template.php
View File

@ -252,7 +252,7 @@ class SimpleSAML_XHTML_Template {
}
/* Check whether we should use the default dictionary or a dictionary specified in the tag. */
if(substr($tag, 0, 1) === '{' && preg_match('/^{((?:\w+:)?\w+?):(.*)}$/', $tag, $matches)) {
if(substr($tag, 0, 1) === '{' && preg_match('/^{((?:\w+:)?\w+?):(.*)}$/D', $tag, $matches)) {
$dictionary = $matches[1];
$tag = $matches[2];
} else {

2
modules/casserver/www/serviceValidate.php
View File

@ -91,7 +91,7 @@ function storeTicket($ticket, $path, &$value ) {
function retrieveTicket($ticket, $path) {
if (!preg_match('/^_?[a-zA-Z0-9]+$/', $ticket)) throw new Exception('Invalid characters in ticket');
if (!preg_match('/^_?[a-zA-Z0-9]+$/D', $ticket)) throw new Exception('Invalid characters in ticket');
if (!is_dir($path))
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. ');

2
modules/casserver/www/validate.php
View File

@ -72,7 +72,7 @@ function storeTicket($ticket, $path, &$value ) {
function retrieveTicket($ticket, $path) {
if (!preg_match('/^_?[a-zA-Z0-9]+$/', $ticket)) throw new Exception('Invalid characters in ticket');
if (!preg_match('/^_?[a-zA-Z0-9]+$/D', $ticket)) throw new Exception('Invalid characters in ticket');
if (!is_dir($path))
throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. ');

2
modules/logpeek/www/index.php
View File

@ -1,7 +1,7 @@
<?php
function logFilter($objFile, $tag, $cut){
if (!preg_match('/^[a-f0-9]{10}$/', $tag)) throw new Exception('Invalid search tag');
if (!preg_match('/^[a-f0-9]{10}$/D', $tag)) throw new Exception('Invalid search tag');
$i = 0;
$results = array();

2
www/admin/test.php
View File

@ -67,7 +67,7 @@ if (array_key_exists('protocol', $_GET)) {
$attr_test = array();
foreach ($_GET as $k => $v) {
if(preg_match('/^attr_test(?:_\d+)?$/', $k)) {
if(preg_match('/^attr_test(?:_\d+)?$/D', $k)) {
$pos = strpos($v, ':');
if($pos === FALSE) {
error('Invalid attribute test: $v');

6
www/auth/login-feide.php
View File

@ -121,7 +121,7 @@ if (isset($_REQUEST['username'])) {
/*
* Checking username parameter for illegal characters.
*/
if (!preg_match('/^[a-z0-9._]+(@[a-z0-9._]+)?$/', $requestedUser) )
if (!preg_match('/^[a-z0-9._]+(@[a-z0-9._]+)?$/D', $requestedUser) )
throw new Exception('Illegal characters in (or empty) username.');
/*
@ -143,7 +143,7 @@ if (isset($_REQUEST['username'])) {
$requestedOrg = strtolower($_REQUEST['org']);
}
if (!preg_match('/^[a-z0-9.]*$/', $requestedOrg) )
if (!preg_match('/^[a-z0-9.]*$/D', $requestedOrg) )
throw new Exception('Illegal characters in organization.');
if (!array_key_exists($requestedOrg, $ldaporgconfig))
@ -159,7 +159,7 @@ if (isset($_REQUEST['username'])) {
$password = $_REQUEST['password'];
if (!preg_match('/^[a-zA-Z0-9.]+$/', $password) )
if (!preg_match('/^[a-zA-Z0-9.]+$/D', $password) )
throw new Exception('Illegal characters in password.');
/*

4
www/module.php
View File

@ -129,7 +129,7 @@ try {
throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
}
if (preg_match('#\.php$#', $path)) {
if (preg_match('#\.php$#D', $path)) {
/* PHP file - attempt to run it. */
$_SERVER['SCRIPT_NAME'] .= '/' . $module . '/' . $url;
require($path);
@ -140,7 +140,7 @@ try {
/* Find MIME type for file, based on extension. */
$contentType = NULL;
if (preg_match('#\.([^/]+)$#', $path, $type)) {
if (preg_match('#\.([^/]+)$#D', $path, $type)) {
$type = strtolower($type[1]);
if (array_key_exists($type, $mimeTypes)) {
$contentType = $mimeTypes[$type];