Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/matomo-org/matomo.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrobocoder <anthon.pang@gmail.com>2011-01-10 21:50:50 +0300
committerrobocoder <anthon.pang@gmail.com>2011-01-10 21:50:50 +0300
commit7191afd6d6bb443708886bb013a4155271ce40d3 (patch)
tree3d1228f9d062d31354836f629c825ec7bedb88d3 /libs/Zend/Auth
parentbae316c9500f56f78aa7b1c596d9ef38b8b50231 (diff)
fixes #1765 - updating to Zend Framework 1.11.2 with some modifications:
ZF-10888: loadClass() inconsistencies * Zend/Http/Client.php * Zend/Uri.php * Zend/Validate.php ZF-10890: include_path dependency and inconsistencies * Zend/Validate/Hostname.php refs #160 - added Zend_OpenId git-svn-id: http://dev.piwik.org/svn/trunk@3694 59fd770c-687e-43c8-a1e3-f5a4ff64c105
Diffstat (limited to 'libs/Zend/Auth')
-rw-r--r--libs/Zend/Auth/Adapter/DbTable.php24
-rw-r--r--libs/Zend/Auth/Adapter/Digest.php26
-rw-r--r--libs/Zend/Auth/Adapter/Http.php28
-rw-r--r--libs/Zend/Auth/Adapter/Ldap.php6
4 files changed, 64 insertions, 20 deletions
diff --git a/libs/Zend/Auth/Adapter/DbTable.php b/libs/Zend/Auth/Adapter/DbTable.php
index c0c06b82c6..3ea1a3bc1e 100644
--- a/libs/Zend/Auth/Adapter/DbTable.php
+++ b/libs/Zend/Auth/Adapter/DbTable.php
@@ -17,7 +17,7 @@
* @subpackage Adapter
* @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
- * @version $Id: DbTable.php 22614 2010-07-17 13:46:07Z dragonbe $
+ * @version $Id: DbTable.php 23484 2010-12-10 03:57:59Z mjh_ca $
*/
@@ -114,12 +114,12 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
* @var array
*/
protected $_resultRow = null;
-
+
/**
- * $_ambiguityIdentity - Flag to indicate same Identity can be used with
+ * $_ambiguityIdentity - Flag to indicate same Identity can be used with
* different credentials. Default is FALSE and need to be set to true to
* allow ambiguity usage.
- *
+ *
* @var boolean
*/
protected $_ambiguityIdentity = false;
@@ -159,7 +159,7 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
/**
* _setDbAdapter() - set the database adapter to be used for quering
*
- * @param Zend_Db_Adapter_Abstract
+ * @param Zend_Db_Adapter_Abstract
* @throws Zend_Auth_Adapter_Exception
* @return Zend_Auth_Adapter_DbTable
*/
@@ -178,7 +178,7 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
throw new Zend_Auth_Adapter_Exception('No database adapter present');
}
}
-
+
return $this;
}
@@ -265,12 +265,12 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
$this->_credential = $credential;
return $this;
}
-
+
/**
* setAmbiguityIdentity() - sets a flag for usage of identical identities
* with unique credentials. It accepts integers (0, 1) or boolean (true,
* false) parameters. Default is false.
- *
+ *
* @param int|bool $flag
* @return Zend_Auth_Adapter_DbTable
*/
@@ -284,9 +284,9 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
return $this;
}
/**
- * getAmbiguityIdentity() - returns TRUE for usage of multiple identical
+ * getAmbiguityIdentity() - returns TRUE for usage of multiple identical
* identies with different credentials, FALSE if not used.
- *
+ *
* @return bool
*/
public function getAmbiguityIdentity()
@@ -367,7 +367,7 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
$this->_authenticateSetup();
$dbSelect = $this->_authenticateCreateSelect();
$resultIdentities = $this->_authenticateQuerySelect($dbSelect);
-
+
if ( ($authResult = $this->_authenticateValidateResultSet($resultIdentities)) instanceof Zend_Auth_Result) {
return $authResult;
}
@@ -382,7 +382,7 @@ class Zend_Auth_Adapter_DbTable implements Zend_Auth_Adapter_Interface
}
$resultIdentities = $validIdentities;
}
-
+
$authResult = $this->_authenticateValidateResult(array_shift($resultIdentities));
return $authResult;
}
diff --git a/libs/Zend/Auth/Adapter/Digest.php b/libs/Zend/Auth/Adapter/Digest.php
index a099bef358..7e1e8bd82d 100644
--- a/libs/Zend/Auth/Adapter/Digest.php
+++ b/libs/Zend/Auth/Adapter/Digest.php
@@ -17,7 +17,7 @@
* @subpackage Adapter
* @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
- * @version $Id: Digest.php 20096 2010-01-06 02:05:09Z bkarwin $
+ * @version $Id: Digest.php 23484 2010-12-10 03:57:59Z mjh_ca $
*/
@@ -213,7 +213,7 @@ class Zend_Auth_Adapter_Digest implements Zend_Auth_Adapter_Interface
while ($line = trim(fgets($fileHandle))) {
if (substr($line, 0, $idLength) === $id) {
- if (substr($line, -32) === md5("$this->_username:$this->_realm:$this->_password")) {
+ if ($this->_secureStringCompare(substr($line, -32), md5("$this->_username:$this->_realm:$this->_password"))) {
$result['code'] = Zend_Auth_Result::SUCCESS;
} else {
$result['code'] = Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID;
@@ -227,4 +227,26 @@ class Zend_Auth_Adapter_Digest implements Zend_Auth_Adapter_Interface
$result['messages'][] = "Username '$this->_username' and realm '$this->_realm' combination not found";
return new Zend_Auth_Result($result['code'], $result['identity'], $result['messages']);
}
+
+ /**
+ * Securely compare two strings for equality while avoided C level memcmp()
+ * optimisations capable of leaking timing information useful to an attacker
+ * attempting to iteratively guess the unknown string (e.g. password) being
+ * compared against.
+ *
+ * @param string $a
+ * @param string $b
+ * @return bool
+ */
+ protected function _secureStringCompare($a, $b)
+ {
+ if (strlen($a) !== strlen($b)) {
+ return false;
+ }
+ $result = 0;
+ for ($i = 0; $i < strlen($a); $i++) {
+ $result |= ord($a[$i]) ^ ord($b[$i]);
+ }
+ return $result == 0;
+ }
}
diff --git a/libs/Zend/Auth/Adapter/Http.php b/libs/Zend/Auth/Adapter/Http.php
index d645d8db93..595a30cb23 100644
--- a/libs/Zend/Auth/Adapter/Http.php
+++ b/libs/Zend/Auth/Adapter/Http.php
@@ -17,7 +17,7 @@
* @subpackage Zend_Auth_Adapter_Http
* @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
- * @version $Id: Http.php 20096 2010-01-06 02:05:09Z bkarwin $
+ * @version $Id: Http.php 23484 2010-12-10 03:57:59Z mjh_ca $
*/
@@ -538,7 +538,7 @@ class Zend_Auth_Adapter_Http implements Zend_Auth_Adapter_Interface
}
$password = $this->_basicResolver->resolve($creds[0], $this->_realm);
- if ($password && $password == $creds[1]) {
+ if ($password && $this->_secureStringCompare($password, $creds[1])) {
$identity = array('username'=>$creds[0], 'realm'=>$this->_realm);
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity);
} else {
@@ -640,7 +640,7 @@ class Zend_Auth_Adapter_Http implements Zend_Auth_Adapter_Interface
// If our digest matches the client's let them in, otherwise return
// a 401 code and exit to prevent access to the protected resource.
- if ($digest == $data['response']) {
+ if ($this->_secureStringCompare($digest, $data['response'])) {
$identity = array('username'=>$data['username'], 'realm'=>$data['realm']);
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity);
} else {
@@ -844,4 +844,26 @@ class Zend_Auth_Adapter_Http implements Zend_Auth_Adapter_Interface
return $data;
}
+
+ /**
+ * Securely compare two strings for equality while avoided C level memcmp()
+ * optimisations capable of leaking timing information useful to an attacker
+ * attempting to iteratively guess the unknown string (e.g. password) being
+ * compared against.
+ *
+ * @param string $a
+ * @param string $b
+ * @return bool
+ */
+ protected function _secureStringCompare($a, $b)
+ {
+ if (strlen($a) !== strlen($b)) {
+ return false;
+ }
+ $result = 0;
+ for ($i = 0; $i < strlen($a); $i++) {
+ $result |= ord($a[$i]) ^ ord($b[$i]);
+ }
+ return $result == 0;
+ }
}
diff --git a/libs/Zend/Auth/Adapter/Ldap.php b/libs/Zend/Auth/Adapter/Ldap.php
index 20f31c1fe0..05f5d2168e 100644
--- a/libs/Zend/Auth/Adapter/Ldap.php
+++ b/libs/Zend/Auth/Adapter/Ldap.php
@@ -17,7 +17,7 @@
* @subpackage Zend_Auth_Adapter
* @copyright Copyright (c) 2005-2010 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
- * @version $Id: Ldap.php 21320 2010-03-04 16:05:09Z sgehrig $
+ * @version $Id: Ldap.php 23486 2010-12-10 04:05:30Z mjh_ca $
*/
/**
@@ -335,8 +335,8 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
$messages[1] = '';
$messages[] = "$canonicalName authentication successful";
if ($requireRebind === true) {
- // rebinding with authenticated user
- $ldap->bind($dn, $password);
+ // rebinding with authenticated user
+ $ldap->bind($dn, $password);
}
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName, $messages);
} else {