[ZF2014-05] Fix for null-byte binding

- Disables ability to provide a null byte in a password when binding.

library/Zend/Ldap.php

@@ -814,6 +814,10 @@ class Zend_Ldap
     {
         $moreCreds = true;
 
+        // Security check: remove null bytes in password
+        // @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+        $password = str_replace("\0", '', $password);
+
         if ($username === null) {
             $username = $this->_getUsername();
             $password = $this->_getPassword();

tests/Zend/Ldap/BindTest.php

@@ -260,4 +260,14 @@ class Zend_Ldap_BindTest extends PHPUnit_Framework_TestCase
         $this->assertTrue(is_resource($ldap->getResource()));
         $this->assertEquals(TESTS_ZEND_LDAP_USERNAME, $ldap->getBoundUser());
     }
+
+    /**
+     * @see https://net.educause.edu/ir/library/pdf/csd4875.pdf
+     */
+    public function testBindWithNullPassword()
+    {
+        $ldap = new Zend_Ldap($this->_options);
+        $this->setExpectedException('Zend_Ldap_Exception', 'Invalid credentials');
+        $ldap->bind($this->_altUsername, "\0invalidpassword");
+    }
 }