Browse Source
Merge pull request #44766 from nextcloud/backport/44350/stable27
[stable27] fix(LDAP): escape DN on check-usertags/v27.1.9rc1
Arthur Schiwon
1 month ago
3 changed files with 21 additions and 1 deletions
+ 4
- 0
apps/user_ldap/lib/Access.php
View File
| @@ -279,6 +279,8 @@ class Access extends LDAPUtility { | |||
| * Normalizes a result grom getAttributes(), i.e. handles DNs and binary | |||
| * data if present. | |||
| * | |||
| * DN values are escaped as per RFC 2253 | |||
| * | |||
| * @param array $result from ILDAPWrapper::getAttributes() | |||
| * @param string $attribute the attribute name that was read | |||
| * @return string[] | |||
| @@ -1260,6 +1262,8 @@ class Access extends LDAPUtility { | |||
| /** | |||
| * Executes an LDAP search | |||
| * | |||
| * DN values in the result set are escaped as per RFC 2253 | |||
| * | |||
| * @throws ServerNotAvailableException | |||
| */ | |||
| public function search( | |||
+ 2
- 1
apps/user_ldap/lib/Command/CheckUser.php
View File
| @@ -144,7 +144,8 @@ class CheckUser extends Command { | |||
| $attrs = $access->userManager->getAttributes(); | |||
| $user = $access->userManager->get($uid); | |||
| $avatarAttributes = $access->getConnection()->resolveRule('avatar'); | |||
| $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); | |||
| $baseDn = $this->helper->DNasBaseParameter($user->getDN()); | |||
| $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); | |||
| foreach ($result[0] as $attribute => $valueSet) { | |||
| $output->writeln(' ' . $attribute . ': '); | |||
| foreach ($valueSet as $value) { | |||
+ 15
- 0
apps/user_ldap/lib/Helper.php
View File
| @@ -206,6 +206,21 @@ class Helper { | |||
| /** | |||
| * sanitizes a DN received from the LDAP server | |||
| * | |||
| * This is used and done to have a stable format of DNs that can be compared | |||
| * and identified again. The input DN value is modified as following: | |||
| * | |||
| * 1) whitespaces after commas are removed | |||
| * 2) the DN is turned to lower-case | |||
| * 3) the DN is escaped according to RFC 2253 | |||
| * | |||
| * When a future DN is supposed to be used as a base parameter, it has to be | |||
| * run through DNasBaseParameter() first, to recode \5c into a backslash | |||
| * again, otherwise the search or read operation will fail with LDAP error | |||
| * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash | |||
| * being escaped, however. | |||
| * | |||
| * Internally, DNs are stored in their sanitized form. | |||
| * | |||
| * @param array|string $dn the DN in question | |||
| * @return array|string the sanitized DN | |||
| */ | |||
Loading…