$tab['reports']['local'] = getConfigVar('enterprise'); if (getConfigVar('DB_VERSION') != CODE_VERSION) { echo '<p align=justify>This Racktables installation seems to be ' . 'just upgraded to version ' . CODE_VERSION . ', while the ' . 'database version is ' . getConfigVar('DB_VERSION') . '.<br>No user will be ' . 'either authenticated or shown any page until the upgrade is ' . "finished.<br>Follow <a href='?module=upgrade'>this link</a> and " . 'authenticate as administrator to finish the upgrade.</p>'; exit(1); } if (!mb_internal_encoding('UTF-8')) { throw new RackTablesError('Failed setting multibyte string encoding to UTF-8', RackTablesError::INTERNAL); } $rackCodeCache = loadScript('RackCodeCache'); if ($rackCodeCache == NULL or !strlen($rackCodeCache)) { $rackCode = getRackCode(loadScript('RackCode')); saveScript('RackCodeCache', base64_encode(serialize($rackCode))); } else { $rackCode = unserialize(base64_decode($rackCodeCache)); if ($rackCode === FALSE) { saveScript('RackCodeCache', ''); $rackCode = getRackCode(loadScript('RackCode')); } } // avoid notices being thrown date_default_timezone_set(getConfigVar('DATETIME_ZONE')); // Depending on the 'result' value the 'load' carries either the // parse tree or error message. The latter case is a bug, because // RackCode saving function was supposed to validate its input. if ($rackCode['result'] != 'ACK') { throw new RackTablesError($rackCode['load'], RackTablesError::INTERNAL); } $rackCode = $rackCode['load']; // Only call buildPredicateTable() once and save the result, because it will remain // constant during one execution for constraints processing. $pTable = buildPredicateTable($rackCode);
function saveRackCode() { assertStringArg('rackcode'); // For the test to succeed, unescape LFs, strip CRs. $newcode = dos2unix($_REQUEST['rackcode']); $parseTree = getRackCode($newcode); if ($parseTree['result'] != 'ACK') { showFuncMessage(__FUNCTION__, 'ERR1', array($parseTree['load'])); return; } saveScript('RackCode', $newcode); saveScript('RackCodeCache', base64_encode(serialize($parseTree))); showFuncMessage(__FUNCTION__, 'OK'); }
function commitUpdateSLBDefConf($data) { saveScript('DefaultVSConfig', $data['vs']); saveScript('DefaultRSConfig', $data['rs']); }
function authenticated_via_ldap_cache($username, $password, &$ldap_displayname) { global $LDAP_options, $auto_tags; // Destroy the cache each time config changes. if (sha1(serialize($LDAP_options)) != loadScript('LDAPConfigHash')) { discardLDAPCache(); saveScript('LDAPConfigHash', sha1(serialize($LDAP_options))); } $oldinfo = acquireLDAPCache($username, sha1($password), $LDAP_options['cache_expiry']); if ($oldinfo === NULL) { // On cache miss execute complete procedure and return the result. In case // of successful authentication put a record into cache. $newinfo = queryLDAPServer($username, $password); if ($newinfo['result'] == 'ACK') { $ldap_displayname = $newinfo['displayed_name']; foreach ($newinfo['memberof'] as $autotag) { $auto_tags[] = array('tag' => $autotag); } replaceLDAPCacheRecord($username, sha1($password), $newinfo['displayed_name'], $newinfo['memberof']); releaseLDAPCache(); discardLDAPCache($LDAP_options['cache_expiry']); return TRUE; } releaseLDAPCache(); return FALSE; } // cache HIT // There are two confidence levels of cache hits: "certain" and "uncertain". In either case // expect authentication success, unless it's well-timed to perform a retry, // which may sometimes bring a NAK decision. if ($oldinfo['success_age'] < $LDAP_options['cache_refresh'] or $oldinfo['retry_age'] < $LDAP_options['cache_retry']) { releaseLDAPCache(); $ldap_displayname = $oldinfo['displayed_name']; foreach ($oldinfo['memberof'] as $autotag) { $auto_tags[] = array('tag' => $autotag); } return TRUE; } // Either refresh threshold or retry threshold reached. $newinfo = queryLDAPServer($username, $password); switch ($newinfo['result']) { case 'ACK': // refresh existing record $ldap_displayname = $newinfo['displayed_name']; foreach ($newinfo['memberof'] as $autotag) { $auto_tags[] = array('tag' => $autotag); } replaceLDAPCacheRecord($username, sha1($password), $newinfo['displayed_name'], $newinfo['memberof']); releaseLDAPCache(); discardLDAPCache($LDAP_options['cache_expiry']); return TRUE; case 'NAK': // The record isn't valid any more. deleteLDAPCacheRecord($username); releaseLDAPCache(); discardLDAPCache($LDAP_options['cache_expiry']); return FALSE; case 'CAN': // retry failed, do nothing, use old value till next retry $ldap_displayname = $oldinfo['displayed_name']; foreach ($oldinfo['memberof'] as $autotag) { $auto_tags[] = array('tag' => $autotag); } touchLDAPCacheRecord($username); releaseLDAPCache(); discardLDAPCache($LDAP_options['cache_expiry']); return TRUE; default: throw new RackTablesError('structure error', RackTablesError::INTERNAL); } // This is never reached. return FALSE; }
function queryLDAPServer($username, $password) { global $LDAP_options; if (extension_loaded('ldap') === FALSE) { throw new RackTablesError('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED); } $ldap_cant_connect_codes = array(-1, -5, -11); $last_successful_server = loadScript('LDAPLastSuccessfulServer'); $success_server = NULL; $servers = preg_split("/\\s+/", $LDAP_options['server'], NULL, PREG_SPLIT_NO_EMPTY); if (isset($last_successful_server) && in_array($last_successful_server, $servers)) { // Use last successful server first $servers = array_diff($servers, array($last_successful_server)); array_unshift($servers, $last_successful_server); } // Try to connect to each server until first success foreach ($servers as $server) { $connect = @ldap_connect($server, array_fetch($LDAP_options, 'port', 389)); if ($connect === FALSE) { continue; } ldap_set_option($connect, LDAP_OPT_NETWORK_TIMEOUT, array_fetch($LDAP_options, 'server_alive_timeout', 2)); // If use_tls configuration option is set, then try establish TLS session instead of ldap_bind if (isset($LDAP_options['use_tls']) && $LDAP_options['use_tls'] >= 1) { $tls = ldap_start_tls($connect); if ($LDAP_options['use_tls'] >= 2 && $tls == FALSE) { if (in_array(ldap_errno($connect), $ldap_cant_connect_codes)) { continue; } else { throw new RackTablesError('LDAP misconfiguration: LDAP TLS required but not successfully negotiated.', RackTablesError::MISCONFIGURED); } } $success_server = $server; break; } else { if (@ldap_bind($connect) || !in_array(ldap_errno($connect), $ldap_cant_connect_codes)) { $success_server = $server; // Cleanup after check. This connection will be used below @ldap_unbind($connect); $connect = ldap_connect($server, array_fetch($LDAP_options, 'port', 389)); break; } } } if (!isset($success_server)) { return array('result' => 'CAN'); } if ($LDAP_options['cache_expiry'] != 0 && $last_successful_server !== $success_server) { saveScript('LDAPLastSuccessfulServer', $success_server); } if (array_key_exists('options', $LDAP_options) and is_array($LDAP_options['options'])) { foreach ($LDAP_options['options'] as $opt_code => $opt_value) { ldap_set_option($connect, $opt_code, $opt_value); } } // Decide on the username we will actually authenticate for. if (isset($LDAP_options['domain']) and strlen($LDAP_options['domain'])) { $auth_user_name = $username . "@" . $LDAP_options['domain']; } elseif (isset($LDAP_options['search_dn']) and strlen($LDAP_options['search_dn']) and isset($LDAP_options['search_attr']) and strlen($LDAP_options['search_attr'])) { // If a search_bind_rdn is supplied, bind to that and use it to search. // This is required unless a server offers anonymous searching. // Using bind again on the connection works as expected. // The password is optional as it might be optional on server, too. if (isset($LDAP_options['search_bind_rdn']) && strlen($LDAP_options['search_bind_rdn'])) { $search_bind = @ldap_bind($connect, $LDAP_options['search_bind_rdn'], isset($LDAP_options['search_bind_password']) ? $LDAP_options['search_bind_password'] : NULL); if ($search_bind === FALSE) { throw new RackTablesError('LDAP misconfiguration. You have specified a search_bind_rdn ' . (isset($LDAP_options['search_bind_password']) ? 'with' : 'without') . ' a search_bind_password, but the server refused it with: ' . ldap_error($connect), RackTablesError::MISCONFIGURED); } } $results = @ldap_search($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "={$username})", array("dn")); if ($results === FALSE) { return array('result' => 'CAN'); } if (@ldap_count_entries($connect, $results) != 1) { @ldap_close($connect); return array('result' => 'NAK'); } $info = @ldap_get_entries($connect, $results); ldap_free_result($results); $auth_user_name = $info[0]['dn']; } else { throw new RackTablesError('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED); } $bind = @ldap_bind($connect, $auth_user_name, $password); if ($bind === FALSE) { switch (ldap_errno($connect)) { case 49: // LDAP_INVALID_CREDENTIALS return array('result' => 'NAK'); default: return array('result' => 'CAN'); } } // preliminary decision may change during searching $ret = array('result' => 'ACK', 'displayed_name' => '', 'memberof' => array()); // Some servers deny anonymous search, thus search (if requested) only after binding. // Displayed name only makes sense for authenticated users anyway. if (isset($LDAP_options['displayname_attrs']) and strlen($LDAP_options['displayname_attrs']) and isset($LDAP_options['search_dn']) and strlen($LDAP_options['search_dn']) and isset($LDAP_options['search_attr']) and strlen($LDAP_options['search_attr'])) { $results = @ldap_search($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "={$username})", array_merge(array($LDAP_options['group_attr']), explode(' ', $LDAP_options['displayname_attrs']))); if (@ldap_count_entries($connect, $results) != 1) { @ldap_close($connect); return array('result' => 'NAK'); } $info = @ldap_get_entries($connect, $results); ldap_free_result($results); $space = ''; foreach (explode(' ', $LDAP_options['displayname_attrs']) as $attr) { if (isset($info[0][$attr])) { $ret['displayed_name'] .= $space . $info[0][$attr][0]; $space = ' '; } } // Pull group membership, if any was returned. if (isset($info[0][$LDAP_options['group_attr']])) { for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) { if (preg_match($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) and validTagName('$lgcn_' . $matches[1], TRUE)) { $ret['memberof'][] = '$lgcn_' . $matches[1]; } } } } @ldap_close($connect); return $ret; }
function authenticated_via_ldap_cache($username, $password, &$ldap_displayname) { global $LDAP_options, $auto_tags; // Destroy the cache each time config changes. if (sha1(serialize($LDAP_options)) != loadScript('LDAPConfigHash')) { discardLDAPCache(); saveScript('LDAPConfigHash', sha1(serialize($LDAP_options))); } $user_data = array(); // fill auto_tags and ldap_displayname from this array $password_hash = sha1($password); // first try to get cache row without locking it (quick way) $cache_row = fetchLDAPCacheRow($username); if (isLDAPCacheValid($cache_row, $password_hash, TRUE)) { $user_data = $cache_row; } else { // cache miss or expired. Try to lock LDAPCache for $username $cache_row = acquireLDAPCache($username); if (isLDAPCacheValid($cache_row, $password_hash, TRUE)) { $user_data = $cache_row; } else { $ldap_answer = queryLDAPServer($username, $password); switch ($ldap_answer['result']) { case 'ACK': replaceLDAPCacheRecord($username, $password_hash, $ldap_answer['displayed_name'], $ldap_answer['memberof']); $user_data = $ldap_answer; break; case 'NAK': // The record isn't valid any more. // TODO: negative result caching deleteLDAPCacheRecord($username); break; case 'CAN': // LDAP query failed, use old value till next retry if (isLDAPCacheValid($cache_row, $password_hash, FALSE)) { touchLDAPCacheRecord($username); $user_data = $cache_row; } else { deleteLDAPCacheRecord($username); } break; default: throw new RackTablesError('structure error', RackTablesError::INTERNAL); } } releaseLDAPCache(); discardLDAPCache($LDAP_options['cache_expiry']); // clear expired rows of other users } if ($user_data) { $ldap_displayname = $user_data['displayed_name']; foreach ($user_data['memberof'] as $autotag) { $auto_tags[] = array('tag' => $autotag); } return TRUE; } return FALSE; }
define('DOING_AJAX', true); define('WP_ADMIN', true); if (!isset($_POST['action'])) { die('-15'); } @header('Content-Type: text/html; charset=' . get_option('blog_charset')); send_nosniff_header(); do_action('admin_init'); if (!is_user_logged_in()) { die('-14'); } else { //if user admin if ($user_level > 9) { if (isset($_POST['action'])) { if ($_POST['action'] == 'savecss') { if (isset($_POST['data'])) { saveScript($_POST['data'], "css"); } } else { if ($_POST['action'] == 'savejs') { if (isset($_POST['data'])) { saveScript(stripslashes($_POST['data']), "js"); } } } } } } } else { echo 'Please do not try this any more. Thanks.'; }