LDAP: follow user- and groupname char limitations for LDAP display names

WARNING: may affect existing installations if display names included unallowed characters. Allowed are only a-zA-Z0-9._-@ This fix is however needed, because names with unallowed characters may cause conflicts

diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php
index 00d81e73efde2f3fe79a34e75167c0620947711c..5252f4cce7c47b23f32b9d63bbae26468584dbbf 100644 (file)
--- a/apps/user_ldap/lib_ldap.php
+++ b/apps/user_ldap/lib_ldap.php
@@ -198,6 +198,7 @@ class OC_LDAP {
                        $ldapname = self::readAttribute($dn, $nameAttribute);
                        $ldapname = $ldapname[0];
                }
+               $ldapname = self::sanitizeUsername($ldapname);
 
                //a new user/group! Then let's try to add it. We're shooting into the blue with the user/group name, assuming that in most cases there will not be a conflict. Otherwise an error will occur and we will continue with our second shot.
                if(self::mapComponent($dn, $ldapname, $isUser)) {
@@ -255,16 +256,17 @@ class OC_LDAP {
                                continue;
                        }
 
-                       //a new group! Then let's try to add it. We're shooting into the blue with the group name, assuming that in most cases there will not be a conflict
-                       if(self::mapComponent($ldapObject['dn'], $ldapObject[$nameAttribute], $isUsers)) {
-                               $ownCloudNames[] = $ldapObject[$nameAttribute];
+                       //a new group! Then let's try to add it. We're shooting into the blue with the group name, assuming that in most cases there will not be a conflict. But first make sure, that the display name contains only allowed characters.
+                       $ocname = self::sanitizeUsername($ldapObject[$nameAttribute]);
+                       if(self::mapComponent($ldapObject['dn'], $ocname, $isUsers)) {
+                               $ownCloudNames[] = $ocname;
                                continue;
                        }
 
                        //doh! There is a conflict. We need to distinguish between groups. Adding indexes is an idea, but not much of a help for the user. The DN is ugly, but for now the only reasonable way. But we transform it to a readable format and remove the first part to only give the path where this entry is located.
-                       $oc_name = self::alternateOwnCloudName($ldapObject[$nameAttribute], $ldapObject['dn']);
-                       if(self::mapComponent($ldapObject['dn'], $oc_name, $isUsers)) {
-                               $ownCloudNames[] = $oc_name;
+                       $ocname = self::alternateOwnCloudName($ocname, $ldapObject['dn']);
+                       if(self::mapComponent($ldapObject['dn'], $ocname, $isUsers)) {
+                               $ownCloudNames[] = $ocname;
                                continue;
                        }
 
@@ -284,7 +286,9 @@ class OC_LDAP {
         */
        static private function alternateOwnCloudName($name, $dn) {
                $ufn = ldap_dn2ufn($dn);
-               return $name . ' (' . trim(substr_replace($ufn, '', 0, strpos($ufn, ','))) . ')';
+               $name = $name . '@' . trim(substr_replace($ufn, '', 0, strpos($ufn, ',')));
+               $name = self::sanitizeUsername($name);
+               return $name;
        }
 
        /**
@@ -522,6 +526,16 @@ class OC_LDAP {
                return $dn;
        }
 
+       static private function sanitizeUsername($name) {
+               //REPLACEMENTS
+               $name = str_replace(' ', '_', $name);
+
+               //every remaining unallowed characters will be removed
+               $name = preg_replace('/[^a-zA-Z0-9_.@-]/', '', $name);
+
+               return $name;
+       }
+
        /**
         * @brief combines the input filters with AND
         * @param $filters array, the filters to connect