diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-10-19 22:00:13 +0200 |
|---|---|---|
| committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2021-11-19 13:07:19 +0100 |
| commit | 8266f88755696c7a2a0cc489bb1e501bc34393b0 (patch) | |
| tree | 58bc47d5ad7cec2386a8a92f1823256bb16cfb71 /apps/user_ldap | |
| parent | c35ad0c20d420c3056565c6bad21133dc035b2df (diff) | |
| download | nextcloud-server-8266f88755696c7a2a0cc489bb1e501bc34393b0.tar.gz nextcloud-server-8266f88755696c7a2a0cc489bb1e501bc34393b0.zip | |
fix potential unwarranted memberships in nested groups from LDAP
- the issue was present only when using PHP based resolving of nested
group members. Normally nested members are common in AD (and Samba4) and
are resolved per LDAP_MATCHING_RULE_IN_CHAIN by default
- resolving nested members is recursive
- when the cache entry was created it happend for intermediate groups, too,
containing members from the parent group
- the check was added to only cache the root group with its members
- a runtime cache stores intermediate ldap read results
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'apps/user_ldap')
| -rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 744f921c6dd..29ef8958293 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -248,7 +248,12 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I // but not included in the results laters on $excludeFromResult = $dnGroup; } + // cache only base groups, otherwise groups get additional unwarranted members + $shouldCacheResult = count($seen) === 0; + + static $rawMemberReads = []; // runtime cache for intermediate ldap read results $allMembers = []; + if (array_key_exists($dnGroup, $seen)) { return []; } @@ -290,7 +295,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } $seen[$dnGroup] = 1; - $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr); + $members = $rawMemberReads[$dnGroup] ?? null; + if ($members === null) { + $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr); + $rawMemberReads[$dnGroup] = $members; + } if (is_array($members)) { $fetcher = function ($memberDN) use (&$seen) { return $this->_groupMembers($memberDN, $seen); @@ -306,7 +315,10 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I } } - $this->access->connection->writeToCache($cacheKey, $allMembers); + if ($shouldCacheResult) { + $this->access->connection->writeToCache($cacheKey, $allMembers); + unset($rawMemberReads[$dnGroup]); + } if (isset($attemptedLdapMatchingRuleInChain) && $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN && !empty($allMembers) |