From 3f69661570e0843d73ffb99790eb437ccbbae6f0 Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Sun, 10 Mar 2024 09:24:57 +0100 Subject: [PATCH] Escape Form-values This should eliminate the risk of injecting JS into form field values. Adding backslashes or quotes in any of the fields will result in a backslash-escaped value. SHould these values be stored more than once the amount of backslashes will exponentially grow. This is a sideeffect of these values not being expected in the fields in the first place. This should also fix CVE-2023-41655 as now injecting JS will no longer result in that being executed in the UI. For more discussion around this CVE see https://github.com/heiglandreas/authLdap/issues/237 --- view/admin.phtml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/view/admin.phtml b/view/admin.phtml index f06b07b..779ba26 100644 --- a/view/admin.phtml +++ b/view/admin.phtml @@ -101,7 +101,7 @@ + class="regular-text" value=""/>

The URI for connecting to the LDAP-Server. This usualy takes the form @@ -139,7 +139,7 @@ + class="regular-text" value=""/>

A separator that separates multiple LDAP-URIs from one another. You can use that feature to try to authenticate against multiple LDAP-Servers @@ -152,7 +152,7 @@ - /> + />

Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).

@@ -163,7 +163,7 @@ + class="regular-text" value=""/>

Please provide a valid filter that can be used for querying the LDAP @@ -190,7 +190,7 @@ - />
+ />

If checked the plugin will use the user's account to query their own information. If not it will use the admin account.

@@ -203,7 +203,7 @@
+ class="regular-text" value=""/>

Which Attribute from the LDAP contains the Full or the First name of the user trying to log in. @@ -220,7 +220,7 @@ + class="regular-text" value="" />

If the above Name-Attribute only contains the First Name of the user you can here specify an Attribute that contains the second name. @@ -236,7 +236,7 @@ + class="regular-text" value="" />

Please give the Attribute, that is used to identify the user. This should be the same as you used in the above Filter-Option @@ -252,7 +252,7 @@ + class="regular-text" value="" />

Which Attribute holds the eMail-Address of the user?

@@ -270,7 +270,7 @@ + class="regular-text" value="" />

If your users have a personal page (URI) stored in the LDAP, it can be provided here. @@ -291,7 +291,7 @@ get_names() as $group => $vals) : ?> @@ -317,7 +317,7 @@ - /> + />

If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.

@@ -329,7 +329,7 @@ + class="regular-text" value="" />

This is the base dn to lookup groups.

@@ -344,7 +344,7 @@ + class="regular-text" value="" />

This is the attribute that defines the Group-ID that can be matched against the Groups defined further down @@ -360,7 +360,7 @@ + class="regular-text" value="" />

This attribute defines the separator used for the Group-IDs listed in the Groups defined further down. This is useful if the value of Group-Attribute @@ -378,7 +378,7 @@ + class="regular-text" value="" />

Here you can add the filter for selecting groups for ther currentlly logged in user @@ -416,12 +416,12 @@