From 8ef94e9eaa6285e81ccf99fe68d16e03fcc8ac47 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 12 Mar 2016 11:11:11 +0100
Subject: [PATCH] obfuscate auth passwords in config. fixes #1487

we already do it for other passwords, so it makes sense to do it here as
well.
---
 lib/plugins/authad/auth.php             | 1 +
 lib/plugins/authad/conf/metadata.php    | 2 +-
 lib/plugins/authldap/auth.php           | 8 ++++----
 lib/plugins/authldap/conf/metadata.php  | 2 +-
 lib/plugins/authmysql/auth.php          | 2 +-
 lib/plugins/authmysql/conf/metadata.php | 4 ++--
 lib/plugins/authpgsql/auth.php          | 4 ++--
 lib/plugins/authpgsql/conf/metadata.php | 4 ++--
 8 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php
index 6e4f85f36..7f557975a 100644
--- a/lib/plugins/authad/auth.php
+++ b/lib/plugins/authad/auth.php
@@ -642,6 +642,7 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin {
         // compatibility with old option name
         if(empty($opts['admin_username']) && !empty($opts['ad_username'])) $opts['admin_username'] = $opts['ad_username'];
         if(empty($opts['admin_password']) && !empty($opts['ad_password'])) $opts['admin_password'] = $opts['ad_password'];
+        $opts['ad_password'] = conf_decodeString($opts['ad_password']); // deobfuscate
 
         // we can change the password if SSL is set
         if($opts['use_ssl'] || $opts['use_tls']) {
diff --git a/lib/plugins/authad/conf/metadata.php b/lib/plugins/authad/conf/metadata.php
index 25c4ab413..6b0fc168b 100644
--- a/lib/plugins/authad/conf/metadata.php
+++ b/lib/plugins/authad/conf/metadata.php
@@ -6,7 +6,7 @@ $meta['domain_controllers'] = array('string','_caution' => 'danger');
 $meta['sso']                = array('onoff','_caution' => 'danger');
 $meta['sso_charset']        = array('string','_caution' => 'danger');
 $meta['admin_username']     = array('string','_caution' => 'danger');
-$meta['admin_password']     = array('password','_caution' => 'danger');
+$meta['admin_password']     = array('password','_caution' => 'danger','_code' => 'base64');
 $meta['real_primarygroup']  = array('onoff','_caution' => 'danger');
 $meta['use_ssl']            = array('onoff','_caution' => 'danger');
 $meta['use_tls']            = array('onoff','_caution' => 'danger');
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 90ec770e9..4c9c17786 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -60,7 +60,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         // indirect user bind
         if($this->getConf('binddn') && $this->getConf('bindpw')) {
             // use superuser credentials
-            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
+            if(!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -165,7 +165,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         // force superuser bind if wanted and not bound as superuser yet
         if($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
             // use superuser credentials
-            if(!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
+            if(!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -307,7 +307,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
         } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
             // we are changing the password on behalf of the user (eg: forgotten password)
             // bind with the superuser ldap
-            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+            if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))){
                 $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
                 return false;
             }
@@ -550,7 +550,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             }
 
             if($this->getConf('binddn') && $this->getConf('bindpw')) {
-                $bound = @ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'));
+                $bound = @ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')));
                 $this->bound = 2;
             } else {
                 $bound = @ldap_bind($this->con);
diff --git a/lib/plugins/authldap/conf/metadata.php b/lib/plugins/authldap/conf/metadata.php
index a67b11ca6..f32aed191 100644
--- a/lib/plugins/authldap/conf/metadata.php
+++ b/lib/plugins/authldap/conf/metadata.php
@@ -10,7 +10,7 @@ $meta['starttls']    = array('onoff','_caution' => 'danger');
 $meta['referrals']   = array('multichoice','_choices' => array(-1,0,1),'_caution' => 'danger');
 $meta['deref']       = array('multichoice','_choices' => array(0,1,2,3),'_caution' => 'danger');
 $meta['binddn']      = array('string','_caution' => 'danger');
-$meta['bindpw']      = array('password','_caution' => 'danger');
+$meta['bindpw']      = array('password','_caution' => 'danger','_code'=>'base64');
 //$meta['mapping']['name']  unsupported in config manager
 //$meta['mapping']['grps']  unsupported in config manager
 $meta['userscope']   = array('multichoice','_choices' => array('sub','one','base'),'_caution' => 'danger');
diff --git a/lib/plugins/authmysql/auth.php b/lib/plugins/authmysql/auth.php
index 1b7d0bfa4..999542a3d 100644
--- a/lib/plugins/authmysql/auth.php
+++ b/lib/plugins/authmysql/auth.php
@@ -874,7 +874,7 @@ class auth_plugin_authmysql extends DokuWiki_Auth_Plugin {
      */
     protected function _openDB() {
         if(!$this->dbcon) {
-            $con = @mysql_connect($this->getConf('server'), $this->getConf('user'), $this->getConf('password'));
+            $con = @mysql_connect($this->getConf('server'), $this->getConf('user'), conf_decodeString($this->getConf('password')));
             if($con) {
                 if((mysql_select_db($this->getConf('database'), $con))) {
                     if((preg_match('/^(\d+)\.(\d+)\.(\d+).*/', mysql_get_server_info($con), $result)) == 1) {
diff --git a/lib/plugins/authmysql/conf/metadata.php b/lib/plugins/authmysql/conf/metadata.php
index 54d6f1404..bad34e669 100644
--- a/lib/plugins/authmysql/conf/metadata.php
+++ b/lib/plugins/authmysql/conf/metadata.php
@@ -2,7 +2,7 @@
 
 $meta['server']           = array('string','_caution' => 'danger');
 $meta['user']             = array('string','_caution' => 'danger');
-$meta['password']         = array('password','_caution' => 'danger');
+$meta['password']         = array('password','_caution' => 'danger','_code' => 'base64');
 $meta['database']         = array('string','_caution' => 'danger');
 $meta['charset']          = array('string','_caution' => 'danger');
 $meta['debug']            = array('multichoice','_choices' => array(0,1,2),'_caution' => 'security');
@@ -31,4 +31,4 @@ $meta['UpdateEmail']      = array('string','_caution' => 'danger');
 $meta['UpdateName']       = array('string','_caution' => 'danger');
 $meta['UpdateTarget']     = array('string','_caution' => 'danger');
 $meta['delUserGroup']     = array('','_caution' => 'danger');
-$meta['getGroupID']       = array('','_caution' => 'danger');
\ No newline at end of file
+$meta['getGroupID']       = array('','_caution' => 'danger');
diff --git a/lib/plugins/authpgsql/auth.php b/lib/plugins/authpgsql/auth.php
index 4cb280aae..7b677d3d7 100644
--- a/lib/plugins/authpgsql/auth.php
+++ b/lib/plugins/authpgsql/auth.php
@@ -303,7 +303,7 @@ class auth_plugin_authpgsql extends auth_plugin_authmysql {
             $dsn .= ' port='.$this->conf['port'];
             $dsn .= ' dbname='.$this->conf['database'];
             $dsn .= ' user='.$this->conf['user'];
-            $dsn .= ' password='.$this->conf['password'];
+            $dsn .= ' password='.conf_decodeString($this->conf['password']);
 
             $con = @pg_connect($dsn);
             if($con) {
@@ -428,4 +428,4 @@ class auth_plugin_authpgsql extends auth_plugin_authmysql {
         }
         return $string;
     }
-}
\ No newline at end of file
+}
diff --git a/lib/plugins/authpgsql/conf/metadata.php b/lib/plugins/authpgsql/conf/metadata.php
index fbd051270..cb9c45643 100644
--- a/lib/plugins/authpgsql/conf/metadata.php
+++ b/lib/plugins/authpgsql/conf/metadata.php
@@ -3,7 +3,7 @@
 $meta['server']           = array('string','_caution' => 'danger');
 $meta['port']             = array('numeric','_caution' => 'danger');
 $meta['user']             = array('string','_caution' => 'danger');
-$meta['password']         = array('password','_caution' => 'danger');
+$meta['password']         = array('password','_caution' => 'danger','_code'=>'base64');
 $meta['database']         = array('string','_caution' => 'danger');
 $meta['debug']            = array('onoff','_caution' => 'security');
 $meta['forwardClearPass'] = array('onoff','_caution' => 'danger');
@@ -30,4 +30,4 @@ $meta['UpdateEmail']      = array('string','_caution' => 'danger');
 $meta['UpdateName']       = array('string','_caution' => 'danger');
 $meta['UpdateTarget']     = array('string','_caution' => 'danger');
 $meta['delUserGroup']     = array('','_caution' => 'danger');
-$meta['getGroupID']       = array('','_caution' => 'danger');
\ No newline at end of file
+$meta['getGroupID']       = array('','_caution' => 'danger');
-- 
GitLab