Merge pull request #37201 from AaronDewes/fix/ldap-filter-generation

Fix: Escape group names for LDAP

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 1cc0c62ff1d177353c542c7184173a5eed496887..658de8c0b8393018121c4e1496fddef9c2e90bfb 100644 (file)
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1411,9 +1411,7 @@ class Access extends LDAPUtility {
                        $asterisk = '*';
                        $input = mb_substr($input, 1, null, 'UTF-8');
                }
-               $search = ['*', '\\', '(', ')'];
-               $replace = ['\\*', '\\\\', '\\(', '\\)'];
-               return $asterisk . str_replace($search, $replace, $input);
+               return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
        }
 
        /**

diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php
index 3014ec8e8a74b4688d5e3ad476b9d4551f55663f..29407ceb0a500fdf4359f3a9f099544f434f6f10 100644 (file)
--- a/apps/user_ldap/lib/Wizard.php
+++ b/apps/user_ldap/lib/Wizard.php
@@ -909,7 +909,7 @@ class Wizard extends LDAPUtility {
                                if (is_array($objcs) && count($objcs) > 0) {
                                        $filter .= '(|';
                                        foreach ($objcs as $objc) {
-                                               $filter .= '(objectclass=' . $objc . ')';
+                                               $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
                                        }
                                        $filter .= ')';
                                        $parts++;
@@ -925,7 +925,7 @@ class Wizard extends LDAPUtility {
                                                }
                                                $base = $this->configuration->ldapBase[0];
                                                foreach ($cns as $cn) {
-                                                       $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']);
+                                                       $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']);
                                                        if (!$this->ldap->isResource($rr)) {
                                                                continue;
                                                        }
@@ -936,10 +936,10 @@ class Wizard extends LDAPUtility {
                                                        if ($dn === false || $dn === '') {
                                                                continue;
                                                        }
-                                                       $filterPart = '(memberof=' . $dn . ')';
+                                                       $filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')';
                                                        if (isset($attrs['primaryGroupToken'])) {
                                                                $pgt = $attrs['primaryGroupToken'][0];
-                                                               $primaryFilterPart = '(primaryGroupID=' . $pgt .')';
+                                                               $primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) .')';
                                                                $filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
                                                        }
                                                        $filter .= $filterPart;
@@ -963,7 +963,7 @@ class Wizard extends LDAPUtility {
                                if (is_array($objcs) && count($objcs) > 0) {
                                        $filter .= '(|';
                                        foreach ($objcs as $objc) {
-                                               $filter .= '(objectclass=' . $objc . ')';
+                                               $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
                                        }
                                        $filter .= ')';
                                        $parts++;
@@ -973,7 +973,7 @@ class Wizard extends LDAPUtility {
                                if (is_array($cns) && count($cns) > 0) {
                                        $filter .= '(|';
                                        foreach ($cns as $cn) {
-                                               $filter .= '(cn=' . $cn . ')';
+                                               $filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')';
                                        }
                                        $filter .= ')';
                                }

diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php
index ce05839c842b2b549e6bb81b75324736bfcb4ff0..5469b9267e7a59352e0d75456c6896c70c7c4fea 100644 (file)
--- a/apps/user_ldap/tests/AccessTest.php
+++ b/apps/user_ldap/tests/AccessTest.php
@@ -137,13 +137,13 @@ class AccessTest extends TestCase {
 
        public function testEscapeFilterPartEscapeWildcard() {
                $input = '*';
-               $expected = '\\\\*';
+               $expected = '\\2a';
                $this->assertTrue($expected === $this->access->escapeFilterPart($input));
        }
 
        public function testEscapeFilterPartEscapeWildcard2() {
                $input = 'foo*bar';
-               $expected = 'foo\\\\*bar';
+               $expected = 'foo\\2abar';
                $this->assertTrue($expected === $this->access->escapeFilterPart($input));
        }