summaryrefslogtreecommitdiffstats
path: root/apps/user_ldap
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2023-10-09 22:39:24 +0200
committerGitHub <noreply@github.com>2023-10-09 22:39:24 +0200
commit7396412b040cac3005a9f6622e0f54fa58398753 (patch)
tree064362c382c95785de4ca055f98d2b686166ea4f /apps/user_ldap
parente6832ed9320512b0e7d1cc1c9f0b0312157eb15e (diff)
parente2d3fef5b42f22c9b41204813145d26351757168 (diff)
downloadnextcloud-server-7396412b040cac3005a9f6622e0f54fa58398753.tar.gz
nextcloud-server-7396412b040cac3005a9f6622e0f54fa58398753.zip
Merge pull request #40739 from AaronDewes/stable27
[stable27] Fix: Escape group names for LDAP
Diffstat (limited to 'apps/user_ldap')
-rw-r--r--apps/user_ldap/lib/Access.php4
-rw-r--r--apps/user_ldap/lib/Wizard.php12
-rw-r--r--apps/user_ldap/tests/AccessTest.php4
3 files changed, 9 insertions, 11 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 40be2b9601a..47f03cfa0e9 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1421,9 +1421,7 @@ class Access extends LDAPUtility {
$asterisk = '*';
$input = mb_substr($input, 1, null, 'UTF-8');
}
- $search = ['*', '\\', '(', ')'];
- $replace = ['\\*', '\\\\', '\\(', '\\)'];
- return $asterisk . str_replace($search, $replace, $input);
+ return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
}
/**
diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php
index 3014ec8e8a7..29407ceb0a5 100644
--- a/apps/user_ldap/lib/Wizard.php
+++ b/apps/user_ldap/lib/Wizard.php
@@ -909,7 +909,7 @@ class Wizard extends LDAPUtility {
if (is_array($objcs) && count($objcs) > 0) {
$filter .= '(|';
foreach ($objcs as $objc) {
- $filter .= '(objectclass=' . $objc . ')';
+ $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
$parts++;
@@ -925,7 +925,7 @@ class Wizard extends LDAPUtility {
}
$base = $this->configuration->ldapBase[0];
foreach ($cns as $cn) {
- $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']);
+ $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']);
if (!$this->ldap->isResource($rr)) {
continue;
}
@@ -936,10 +936,10 @@ class Wizard extends LDAPUtility {
if ($dn === false || $dn === '') {
continue;
}
- $filterPart = '(memberof=' . $dn . ')';
+ $filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')';
if (isset($attrs['primaryGroupToken'])) {
$pgt = $attrs['primaryGroupToken'][0];
- $primaryFilterPart = '(primaryGroupID=' . $pgt .')';
+ $primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) .')';
$filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
}
$filter .= $filterPart;
@@ -963,7 +963,7 @@ class Wizard extends LDAPUtility {
if (is_array($objcs) && count($objcs) > 0) {
$filter .= '(|';
foreach ($objcs as $objc) {
- $filter .= '(objectclass=' . $objc . ')';
+ $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
$parts++;
@@ -973,7 +973,7 @@ class Wizard extends LDAPUtility {
if (is_array($cns) && count($cns) > 0) {
$filter .= '(|';
foreach ($cns as $cn) {
- $filter .= '(cn=' . $cn . ')';
+ $filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
}
diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php
index ce05839c842..5469b9267e7 100644
--- a/apps/user_ldap/tests/AccessTest.php
+++ b/apps/user_ldap/tests/AccessTest.php
@@ -137,13 +137,13 @@ class AccessTest extends TestCase {
public function testEscapeFilterPartEscapeWildcard() {
$input = '*';
- $expected = '\\\\*';
+ $expected = '\\2a';
$this->assertTrue($expected === $this->access->escapeFilterPart($input));
}
public function testEscapeFilterPartEscapeWildcard2() {
$input = 'foo*bar';
- $expected = 'foo\\\\*bar';
+ $expected = 'foo\\2abar';
$this->assertTrue($expected === $this->access->escapeFilterPart($input));
}