diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2016-10-18 17:20:15 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-18 17:20:15 +0200 |
commit | b8eea5fcab428939463c605bebebb602b732d121 (patch) | |
tree | e218a713d3c482680b535a43336bc37d8382a851 /apps/user_ldap/lib/Access.php | |
parent | 9759f55e505010f6135d7aaeae83d26885939363 (diff) | |
parent | dade28cadd3d73feaf665cfd338928643b7c5793 (diff) | |
download | nextcloud-server-b8eea5fcab428939463c605bebebb602b732d121.tar.gz nextcloud-server-b8eea5fcab428939463c605bebebb602b732d121.zip |
Merge pull request #1729 from nextcloud/downstream-ldap-3
[downstream] LDAP empty hardening
Diffstat (limited to 'apps/user_ldap/lib/Access.php')
-rw-r--r-- | apps/user_ldap/lib/Access.php | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 40bae8d7b41..e7facd80ae0 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -184,14 +184,14 @@ class Access extends LDAPUtility implements IUserTools { $dn = $this->helper->DNasBaseParameter($dn); $rr = @$this->ldap->read($cr, $dn, $filter, array($attr)); if(!$this->ldap->isResource($rr)) { - if(!empty($attr)) { + if ($attr !== '') { //do not throw this message on userExists check, irritates \OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN '.$dn, \OCP\Util::DEBUG); } //in case an error occurs , e.g. object does not exist return false; } - if (empty($attr) && ($filter === 'objectclass=*' || $this->ldap->countEntries($cr, $rr) === 1)) { + if ($attr === '' && ($filter === 'objectclass=*' || $this->ldap->countEntries($cr, $rr) === 1)) { \OCP\Util::writeLog('user_ldap', 'readAttribute: '.$dn.' found', \OCP\Util::DEBUG); return array(); } @@ -422,8 +422,8 @@ class Access extends LDAPUtility implements IUserTools { } if($isUser) { - $usernameAttribute = $this->connection->ldapExpertUsernameAttr; - if(!empty($usernameAttribute)) { + $usernameAttribute = strval($this->connection->ldapExpertUsernameAttr); + if ($usernameAttribute !== '') { $username = $this->readAttribute($fdn, $usernameAttribute); $username = $username[0]; } else { @@ -1128,7 +1128,7 @@ class Access extends LDAPUtility implements IUserTools { private function combineFilter($filters, $operator) { $combinedFilter = '('.$operator; foreach($filters as $filter) { - if(!empty($filter) && $filter[0] !== '(') { + if ($filter !== '' && $filter[0] !== '(') { $filter = '('.$filter.')'; } $combinedFilter.=$filter; @@ -1211,7 +1211,7 @@ class Access extends LDAPUtility implements IUserTools { $search = $this->prepareSearchTerm($search); if(!is_array($searchAttributes) || count($searchAttributes) === 0) { - if(empty($fallbackAttribute)) { + if ($fallbackAttribute === '') { return ''; } $filter[] = $fallbackAttribute . '=' . $search; @@ -1237,8 +1237,12 @@ class Access extends LDAPUtility implements IUserTools { $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes'); - $result = empty($term) ? '*' : - $allowEnum !== 'no' ? $term . '*' : $term; + $result = $term; + if ($term === '') { + $result = '*'; + } else if ($allowEnum !== 'no') { + $result = $term . '*'; + } return $result; } @@ -1285,7 +1289,7 @@ class Access extends LDAPUtility implements IUserTools { $filter = $this->connection->ldapUserFilter; $base = $this->connection->ldapBaseUsers; - if($this->connection->ldapUuidUserAttribute === 'auto' && empty($uuidOverride)) { + if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') { // Sacrebleu! The UUID attribute is unknown :( We need first an // existing DN to be able to reliably detect it. $result = $this->search($filter, $base, ['dn'], 1); @@ -1341,7 +1345,7 @@ class Access extends LDAPUtility implements IUserTools { return true; } - if(!empty($uuidOverride) && !$force) { + if ($uuidOverride !== '' && !$force) { $this->connection->$uuidAttr = $uuidOverride; return true; } @@ -1384,7 +1388,7 @@ class Access extends LDAPUtility implements IUserTools { if($this->detectUuidAttribute($dn, $isUser)) { $uuid = $this->readAttribute($dn, $this->connection->$uuidAttr); if( !is_array($uuid) - && !empty($uuidOverride) + && $uuidOverride !== '' && $this->detectUuidAttribute($dn, $isUser, true)) { $uuid = $this->readAttribute($dn, $this->connection->$uuidAttr); |