iPhone devices incorrectly implement DAV:current-user-principal from
RFC 5397. They assume that current-user-principal is the href for the
resource being queried. The RFC says it should be the current resource.
See: https://gitlab.com/davical-project/davical/-/issues/335
We also use a locally set password (aka a pepper) to ensure that the contents
of memcached isn't sufficient to perform dictionary attacks on the cached
credentials.
This is intended to reduce the load on external authentication sources
as most (all?) CalDAV clients use HTTPBasicAuth to authenticate and
if an external source is used, every request we receive requires
external authentication. This can place a large load on those external
sources.
Closes#254.
This tickles a bug as reported by Thorsten Marquardt in
https://sourceforge.net/p/davical/mailman/message/58766531/ with this
error message reported:
Exception [0] ldap_get_attributes(): Argument #2 ($entry) must be of
type LDAP\ResultEntry, false given
At line 718 of /usr/share/davical-master/inc/drivers_ldap.php
You need to look in 3da860e5d5e732c2dedb62a73c76608a2b7098a4 for that line
number as I've just made some improvements to the code the last few commits.
Add a new value for i_use_mode_kerberos: "allow_fallback_ldap_auth",
which will fallback to username/password authentication when the
REMOTE_USER value is unset.
Currently, when `i_use_mode_kerberos` is enabled in the LDAP driver,
Davical checks the `REMOTE_USER` server variable, followed by the
`REDIRECT_REMOTE_USER` variable, for a matching username. If a matching
username is not found, authentication fails immediately.
This commit modifies the LDAP driver to fallback to standard LDAP
password authentication when `i_use_mode_kerberos` is enabled and
neither of these server variables are set. This allows
non-kerberos-enabled clients to authenticate as well.
Fixes#323
Add some properties to classes to fix errors like:
Creation of dynamic property iSchedule::$body_cannon is deprecated in /usr/share/davical/inc/iSchedule.php on line 533
Creation of dynamic property FakeSession::$user_active is deprecated in /usr/share/davical/inc/iSchedule-POST.php on line 23
Fixes:
- PHP Warning: Trying to access array offset on value of type null in inc/iSchedule.php on line 83
- PHP Warning: Undefined array key "t" in inc/iSchedule.php on line 165
- PHP Warning: Undefined array key "t" in inc/iSchedule.php on line 167
- PHP Warning: Undefined array key "p" in inc/iSchedule.php on line 184
Concatenate the DNS entry we're going to look up once rather than everytime
we need it.
Test that other users can't delete:
- collections
- tickets
- bindings
No significant change, just return an error message rather than assume that
things worked.
Add a new 'sasl' option to the LDAP driver, which invokes
ldap_sasl_bind() instead of ldap_bind().
This allows authenticating to LDAP using the GSSAPI (kerberos) or
EXTERNAL mechanisms, rather than a bindDN and password.
Note that for GSSAPI binds, PHP needs access to valid kerberos
credentials (for example, by setting the KRB5CCNAME environment variable
for the PHP process).
Tested with OpenLDAP/Heimdal kerberos, but should also work with Active
Directory.
Resolves this warning in PHP 7.4.0:
Deprecated: bindec(): Passing null to parameter #1 ($binary_string) of type
string is deprecated in /usr/share/davical/inc/ui/principal-edit.php on line
412
Resolves this warning in PHP 8.2:
Warning: Undefined array key 0 in /usr/share/davical/inc/iSchedule.php on
line 218
Warning: Trying to access array offset on null in
/usr/share/davical/inc/iSchedule.php on line 218
PHP 8.2.0 has deprecated dynamic creation of properties.
This kind of warning message is displayed:
Deprecated: Creation of dynamic property DAViCalSession::$login_failed is
deprecated in /usr/share/awl/inc/Session.php on line 153
There is potential to leak information when viewing the principal
page for another principal. I think it makes more sense to just
not include all of this information unles the user can change the
principal.
Previously PHP was escaping things like ampersands, which then caused
us to have broken URLs.
These aren't displayed anywhere in the UI, so no need to encode them anywhere.
Closes#314.
Previously something like this would be logged if debugging is enabled:
davical: LOG: Principal: Query: DBGQ: SELECT * FROM collection WHERE user_no= :user_no
davical: LOG: Principal: Query: DBGQ: ":user_no" => ""
davical: BUG: :DAViCal Fatal Error: [42883] SQLSTATE[42883]: Undefined function: 7 ERROR: operator does not exist: integer = boolean\nLINE 1: SELECT * FROM collection WHERE user_no= FALSE\n ^\nHINT: No operator matches the given name and argument types. You might need to add explicit type casts. at /home/puck/work/Calendar/awl/inc/AwlDatabase.php:94
And this would be returned as a response:
DAViCal Fatal Error
user_no doesn't get set when construction the Collection for the external
bind, so, just handle that instead of sending the empty string to the
database as a user_no.
Modify the tests from ccc7e182ba4cbfba66a4fe96e1c0620e46390b95 to tickle the
bug.
Closes#175.
