Merge branch 'security/zf2014-05'

weierophinney · weierophinney · commit 1def582b9228 · 2014-09-16T15:41:53.000-05:00
ZF2014-05 patch
diff --git a/README.md b/README.md
@@ -13,6 +13,16 @@ Released on MMMMM DD, YYYY.
 IMPORTANT FIXES FOR 1.12.9
 --------------------------
 
+**This release contains security updates:**
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend_Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
 See http://framework.zend.com/changelog for full details.
 
 NEW FEATURES
diff --git a/library/Zend/Ldap.php b/library/Zend/Ldap.php
@@ -814,6 +814,10 @@ public function bind($username = null, $password = null)
     {
         $moreCreds = true;
 
+        // Security check: remove null bytes in password
+        // @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+        $password = str_replace("\0", '', $password);
+
         if ($username === null) {
             $username = $this->_getUsername();
             $password = $this->_getPassword();
diff --git a/tests/Zend/Ldap/BindTest.php b/tests/Zend/Ldap/BindTest.php
@@ -260,4 +260,14 @@ public function testResourceIsAlwaysReturned()
         $this->assertTrue(is_resource($ldap->getResource()));
         $this->assertEquals(TESTS_ZEND_LDAP_USERNAME, $ldap->getBoundUser());
     }
+
+    /**
+     * @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+     */
+    public function testBindWithNullPassword()
+    {
+        $ldap = new Zend_Ldap($this->_options);
+        $this->setExpectedException('Zend_Ldap_Exception', 'Invalid credentials');
+        $ldap->bind($this->_altUsername, "\0invalidpassword");
+    }
 }
