Merge branch 'security/zf2014-05'

ZF2014-05 patch

CHANGELOG.md

@@ -1,5 +1,20 @@
 # CHANGELOG
 
+## 2.3.3 (2014-09-16)
+
+- [6576: Custom barcode adapter wasn't being set in options](https://github.com/zendframework/zf2/pull/6576)
+- [6664: Use is_file to check for an uploaded file](https://github.com/zendframework/zf2/pull/6664)
+
+### SECURITY UPDATES
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
 ## 2.3.2 (2014-08-11)
 
 - [4747: Zend\Code\Generator\FileGenerator problem](https://github.com/zendframework/zf2/issues/4747)
@@ -460,6 +475,18 @@
 - [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
 - [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)
 
+## 2.2.8 (2014-09-16)
+
+### SECURITY UPDATES
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
 ## 2.2.7 (2014-04-15)
 
 ### SECURITY UPDATES

README.md

@@ -17,6 +17,17 @@ DD MMM YYYY
 
 ### UPDATES IN 2.3.3
 
+**This release contains security updates:**
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
+
 Please see [CHANGELOG.md](CHANGELOG.md).
 
 ### SYSTEM REQUIREMENTS

library/Zend/Ldap/Ldap.php

@@ -758,6 +758,10 @@ public function bind($username = null, $password = null)
     {
         $moreCreds = true;
 
+        // Security check: remove null bytes in password
+        // @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+        $password = str_replace("\0", '', $password);
+
         if ($username === null) {
             $username  = $this->getUsername();
             $password  = $this->getPassword();

tests/ZendTest/Ldap/BindTest.php

@@ -267,4 +267,14 @@ public function testResourceIsAlwaysReturned()
         $this->assertTrue(is_resource($ldap->getResource()));
         $this->assertEquals(TESTS_ZEND_LDAP_USERNAME, $ldap->getBoundUser());
     }
+
+    /**
+     * @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+     */
+    public function testBindWithNullPassword()
+    {
+        $ldap = new Ldap\Ldap($this->options);
+        $this->setExpectedException('Zend\Ldap\Exception\LdapException', 'Invalid credentials');
+        $ldap->bind($this->altUsername, "\0invalidpassword");
+    }
 }