diff options
author | Robin Appelman <icewind@owncloud.com> | 2014-02-21 15:51:41 +0100 |
---|---|---|
committer | Robin Appelman <icewind@owncloud.com> | 2014-02-21 15:51:41 +0100 |
commit | f1475671aba59e33442ca5f4121e49782eabe974 (patch) | |
tree | 33b049bac3cb2fcf86f7acfcc728e5fb6e2322e1 /apps | |
parent | b060a17b59f7117a670f09550215cb005dd822bc (diff) | |
parent | aa0bcf7ba45d004b0c0226fd07696f9f224f9c1c (diff) | |
download | nextcloud-server-f1475671aba59e33442ca5f4121e49782eabe974.tar.gz nextcloud-server-f1475671aba59e33442ca5f4121e49782eabe974.zip |
Merge branch 'master' into extstorage-configclass
Diffstat (limited to 'apps')
-rw-r--r-- | apps/files/ajax/newfile.php | 14 | ||||
-rw-r--r-- | apps/files/ajax/newfolder.php | 4 | ||||
-rw-r--r-- | apps/files_external/ajax/addRootCertificate.php | 2 | ||||
-rwxr-xr-x | apps/files_external/lib/config.php | 6 | ||||
-rw-r--r-- | apps/files_external/lib/webdav.php | 63 | ||||
-rw-r--r-- | apps/files_external/tests/config.php | 6 | ||||
-rw-r--r-- | apps/files_external/tests/webdav.php | 3 | ||||
-rw-r--r-- | apps/user_ldap/lib/access.php | 11 | ||||
-rw-r--r-- | apps/user_ldap/lib/helper.php | 6 | ||||
-rw-r--r-- | apps/user_ldap/tests/access.php | 71 | ||||
-rw-r--r-- | apps/user_ldap/tests/user_ldap.php | 101 | ||||
-rw-r--r-- | apps/user_ldap/user_ldap.php | 3 |
12 files changed, 259 insertions, 31 deletions
diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index 1853098c507..0187b200759 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -50,16 +50,22 @@ $l10n = \OC_L10n::get('files'); $result = array( 'success' => false, 'data' => NULL - ); +); +$trimmedFileName = trim($filename); -if(trim($filename) === '') { +if($trimmedFileName === '') { $result['data'] = array('message' => (string)$l10n->t('File name cannot be empty.')); OCP\JSON::error($result); exit(); } +if($trimmedFileName === '.' || $trimmedFileName === '..') { + $result['data'] = array('message' => (string)$l10n->t('"%s" is an invalid file name.', $trimmedFileName)); + OCP\JSON::error($result); + exit(); +} -if(strpos($filename, '/') !== false) { - $result['data'] = array('message' => (string)$l10n->t('File name must not contain "/". Please choose a different name.')); +if(!OCP\Util::isValidFileName($filename)) { + $result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.")); OCP\JSON::error($result); exit(); } diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php index 4cfcae3090d..b2b4fb27f74 100644 --- a/apps/files/ajax/newfolder.php +++ b/apps/files/ajax/newfolder.php @@ -23,8 +23,8 @@ if(trim($foldername) === '') { exit(); } -if(strpos($foldername, '/') !== false) { - $result['data'] = array('message' => $l10n->t('Folder name must not contain "/". Please choose a different name.')); +if(!OCP\Util::isValidFileName($foldername)) { + $result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.")); OCP\JSON::error($result); exit(); } diff --git a/apps/files_external/ajax/addRootCertificate.php b/apps/files_external/ajax/addRootCertificate.php index ae349bfcd3a..fcd3a617ada 100644 --- a/apps/files_external/ajax/addRootCertificate.php +++ b/apps/files_external/ajax/addRootCertificate.php @@ -4,7 +4,7 @@ OCP\JSON::checkAppEnabled('files_external'); OCP\JSON::callCheck(); if ( ! ($filename = $_FILES['rootcert_import']['name']) ) { - header("Location: settings/personal.php"); + header('Location:' . OCP\Util::linkToRoute( "settings_personal" )); exit; } diff --git a/apps/files_external/lib/config.php b/apps/files_external/lib/config.php index cd3e7f3a4a6..9a8b95c14c9 100755 --- a/apps/files_external/lib/config.php +++ b/apps/files_external/lib/config.php @@ -358,9 +358,8 @@ class OC_Mount_Config { $phpFile = OC_User::getHome(OCP\User::getUser()).'/mount.php'; $jsonFile = OC_User::getHome(OCP\User::getUser()).'/mount.json'; } else { - $datadir = \OC_Config::getValue("datadirectory", \OC::$SERVERROOT . "/data"); $phpFile = OC::$SERVERROOT.'/config/mount.php'; - $jsonFile = $datadir . '/mount.json'; + $jsonFile = \OC_Config::getValue("mount_file", \OC::$SERVERROOT . "/data/mount.json"); } if (is_file($jsonFile)) { $mountPoints = json_decode(file_get_contents($jsonFile), true); @@ -386,8 +385,7 @@ class OC_Mount_Config { if ($isPersonal) { $file = OC_User::getHome(OCP\User::getUser()).'/mount.json'; } else { - $datadir = \OC_Config::getValue("datadirectory", \OC::$SERVERROOT . "/data"); - $file = $datadir . '/mount.json'; + $file = \OC_Config::getValue("mount_file", \OC::$SERVERROOT . "/data/mount.json"); } $content = json_encode($data); @file_put_contents($file, $content); diff --git a/apps/files_external/lib/webdav.php b/apps/files_external/lib/webdav.php index 7611316a26a..9afe73aebd7 100644 --- a/apps/files_external/lib/webdav.php +++ b/apps/files_external/lib/webdav.php @@ -99,7 +99,9 @@ class DAV extends \OC\Files\Storage\Common{ public function rmdir($path) { $this->init(); - $path=$this->cleanPath($path); + $path=$this->cleanPath($path) . '/'; + // FIXME: some WebDAV impl return 403 when trying to DELETE + // a non-empty folder return $this->simpleResponse('DELETE', $path, null, 204); } @@ -107,7 +109,7 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $response=$this->client->propfind($path, array(), 1); + $response=$this->client->propfind($this->encodePath($path), array(), 1); $id=md5('webdav'.$this->root.$path); $content = array(); $files=array_keys($response); @@ -127,8 +129,11 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $response=$this->client->propfind($path, array('{DAV:}resourcetype')); - $responseType=$response["{DAV:}resourcetype"]->resourceType; + $response=$this->client->propfind($this->encodePath($path), array('{DAV:}resourcetype')); + $responseType = array(); + if (isset($response["{DAV:}resourcetype"])) { + $responseType=$response["{DAV:}resourcetype"]->resourceType; + } return (count($responseType)>0 and $responseType[0]=="{DAV:}collection")?'dir':'file'; } catch(\Exception $e) { error_log($e->getMessage()); @@ -141,7 +146,7 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $this->client->propfind($path, array('{DAV:}resourcetype')); + $this->client->propfind($this->encodePath($path), array('{DAV:}resourcetype')); return true;//no 404 exception } catch(\Exception $e) { return false; @@ -166,7 +171,7 @@ class DAV extends \OC\Files\Storage\Common{ $curl = curl_init(); $fp = fopen('php://temp', 'r+'); curl_setopt($curl, CURLOPT_USERPWD, $this->user.':'.$this->password); - curl_setopt($curl, CURLOPT_URL, $this->createBaseUri().str_replace(' ', '%20', $path)); + curl_setopt($curl, CURLOPT_URL, $this->createBaseUri().$this->encodePath($path)); curl_setopt($curl, CURLOPT_FILE, $fp); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); if ($this->secure === true) { @@ -178,6 +183,10 @@ class DAV extends \OC\Files\Storage\Common{ } curl_exec ($curl); + $statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); + if ($statusCode !== 200) { + \OCP\Util::writeLog("webdav client", 'curl GET ' . curl_getinfo($curl, CURLINFO_EFFECTIVE_URL) . ' returned status code ' . $statusCode, \OCP\Util::ERROR); + } curl_close ($curl); rewind($fp); return $fp; @@ -220,7 +229,7 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $response=$this->client->propfind($path, array('{DAV:}quota-available-bytes')); + $response=$this->client->propfind($this->encodePath($path), array('{DAV:}quota-available-bytes')); if (isset($response['{DAV:}quota-available-bytes'])) { return (int)$response['{DAV:}quota-available-bytes']; } else { @@ -240,7 +249,12 @@ class DAV extends \OC\Files\Storage\Common{ // if file exists, update the mtime, else create a new empty file if ($this->file_exists($path)) { - $this->client->proppatch($path, array('{DAV:}lastmodified' => $mtime)); + try { + $this->client->proppatch($this->encodePath($path), array('{DAV:}lastmodified' => $mtime)); + } + catch (\Sabre_DAV_Exception_NotImplemented $e) { + return false; + } } else { $this->file_put_contents($path, ''); } @@ -276,13 +290,17 @@ class DAV extends \OC\Files\Storage\Common{ } } curl_exec ($curl); + $statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); + if ($statusCode !== 200) { + \OCP\Util::writeLog("webdav client", 'curl GET ' . curl_getinfo($curl, CURLINFO_EFFECTIVE_URL) . ' returned status code ' . $statusCode, \OCP\Util::ERROR); + } curl_close ($curl); } public function rename($path1, $path2) { $this->init(); - $path1=$this->cleanPath($path1); - $path2=$this->createBaseUri().$this->cleanPath($path2); + $path1 = $this->encodePath($this->cleanPath($path1)); + $path2 = $this->createBaseUri().$this->encodePath($this->cleanPath($path2)); try { $this->client->request('MOVE', $path1, null, array('Destination'=>$path2)); return true; @@ -293,8 +311,8 @@ class DAV extends \OC\Files\Storage\Common{ public function copy($path1, $path2) { $this->init(); - $path1=$this->cleanPath($path1); - $path2=$this->createBaseUri().$this->cleanPath($path2); + $path1 = $this->encodePath($this->cleanPath($path1)); + $path2 = $this->createBaseUri().$this->encodePath($this->cleanPath($path2)); try { $this->client->request('COPY', $path1, null, array('Destination'=>$path2)); return true; @@ -307,7 +325,7 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $response=$this->client->propfind($path, array('{DAV:}getlastmodified', '{DAV:}getcontentlength')); + $response = $this->client->propfind($this->encodePath($path), array('{DAV:}getlastmodified', '{DAV:}getcontentlength')); return array( 'mtime'=>strtotime($response['{DAV:}getlastmodified']), 'size'=>(int)isset($response['{DAV:}getcontentlength']) ? $response['{DAV:}getcontentlength'] : 0, @@ -321,8 +339,11 @@ class DAV extends \OC\Files\Storage\Common{ $this->init(); $path=$this->cleanPath($path); try { - $response=$this->client->propfind($path, array('{DAV:}getcontenttype', '{DAV:}resourcetype')); - $responseType=$response["{DAV:}resourcetype"]->resourceType; + $response=$this->client->propfind($this->encodePath($path), array('{DAV:}getcontenttype', '{DAV:}resourcetype')); + $responseType = array(); + if (isset($response["{DAV:}resourcetype"])) { + $responseType=$response["{DAV:}resourcetype"]->resourceType; + } $type=(count($responseType)>0 and $responseType[0]=="{DAV:}collection")?'dir':'file'; if ($type=='dir') { return 'httpd/unix-directory'; @@ -346,6 +367,16 @@ class DAV extends \OC\Files\Storage\Common{ } /** + * URL encodes the given path but keeps the slashes + * @param string $path to encode + * @return string encoded path + */ + private function encodePath($path) { + // slashes need to stay + return str_replace('%2F', '/', rawurlencode($path)); + } + + /** * @param string $method * @param string $path * @param integer $expected @@ -353,7 +384,7 @@ class DAV extends \OC\Files\Storage\Common{ private function simpleResponse($method, $path, $body, $expected) { $path=$this->cleanPath($path); try { - $response=$this->client->request($method, $path, $body); + $response=$this->client->request($method, $this->encodePath($path), $body); return $response['statusCode']==$expected; } catch(\Exception $e) { return false; diff --git a/apps/files_external/tests/config.php b/apps/files_external/tests/config.php index e296bfcb5b2..767c0adf58e 100644 --- a/apps/files_external/tests/config.php +++ b/apps/files_external/tests/config.php @@ -21,7 +21,11 @@ return array( 'host'=>'localhost', 'user'=>'test', 'password'=>'test', - 'root'=>'/owncloud/files/webdav.php', + 'root'=>'', + // wait delay in seconds after write operations + // (only in tests) + // set to higher value for lighttpd webdav + 'wait'=> 0 ), 'owncloud'=>array( 'run'=>true, diff --git a/apps/files_external/tests/webdav.php b/apps/files_external/tests/webdav.php index 1f9b767eca6..74e905ccc89 100644 --- a/apps/files_external/tests/webdav.php +++ b/apps/files_external/tests/webdav.php @@ -18,6 +18,9 @@ class DAV extends Storage { if ( ! is_array($this->config) or ! isset($this->config['webdav']) or ! $this->config['webdav']['run']) { $this->markTestSkipped('WebDAV backend not configured'); } + if (isset($this->config['webdav']['wait'])) { + $this->waitDelay = $this->config['webdav']['wait']; + } $this->config['webdav']['root'] .= '/' . $id; //make sure we have an new empty folder to work in $this->instance = new \OC\Files\Storage\DAV($this->config['webdav']); $this->instance->mkdir('/'); diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index 6795aecafee..b7e4023dd73 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -922,6 +922,17 @@ class Access extends LDAPUtility { } /** + * @brief escapes (user provided) parts for LDAP filter + * @param String $input, the provided value + * @returns the escaped string + */ + public function escapeFilterPart($input) { + $search = array('*', '\\', '(', ')'); + $replace = array('\\*', '\\\\', '\\(', '\\)'); + return str_replace($search, $replace, $input); + } + + /** * @brief combines the input filters with AND * @param $filters array, the filters to connect * @returns the combined filter diff --git a/apps/user_ldap/lib/helper.php b/apps/user_ldap/lib/helper.php index 9727d847d27..7de7fe8667f 100644 --- a/apps/user_ldap/lib/helper.php +++ b/apps/user_ldap/lib/helper.php @@ -118,10 +118,16 @@ class Helper { return false; } + $saveOtherConfigurations = ''; + if(empty($prefix)) { + $saveOtherConfigurations = 'AND `Configkey` NOT LIKE \'s%\''; + } + $query = \OCP\DB::prepare(' DELETE FROM `*PREFIX*appconfig` WHERE `configkey` LIKE ? + '.$saveOtherConfigurations.' AND `appid` = \'user_ldap\' AND `configkey` NOT IN (\'enabled\', \'installed_version\', \'types\', \'bgjUpdateGroupsLastRun\') '); diff --git a/apps/user_ldap/tests/access.php b/apps/user_ldap/tests/access.php new file mode 100644 index 00000000000..9beb2b97336 --- /dev/null +++ b/apps/user_ldap/tests/access.php @@ -0,0 +1,71 @@ +<?php +/** +* ownCloud +* +* @author Arthur Schiwon +* @copyright 2013 Arthur Schiwon blizzz@owncloud.com +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE +* License as published by the Free Software Foundation; either +* version 3 of the License, or any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU AFFERO GENERAL PUBLIC LICENSE for more details. +* +* You should have received a copy of the GNU Affero General Public +* License along with this library. If not, see <http://www.gnu.org/licenses/>. +* +*/ + +namespace OCA\user_ldap\tests; + +use \OCA\user_ldap\lib\Access; +use \OCA\user_ldap\lib\Connection; +use \OCA\user_ldap\lib\ILDAPWrapper; + +class Test_Access extends \PHPUnit_Framework_TestCase { + private function getConnecterAndLdapMock() { + static $conMethods; + static $accMethods; + + if(is_null($conMethods) || is_null($accMethods)) { + $conMethods = get_class_methods('\OCA\user_ldap\lib\Connection'); + $accMethods = get_class_methods('\OCA\user_ldap\lib\Access'); + } + $lw = $this->getMock('\OCA\user_ldap\lib\ILDAPWrapper'); + $connector = $this->getMock('\OCA\user_ldap\lib\Connection', + $conMethods, + array($lw, null, null)); + + return array($lw, $connector); + } + + public function testEscapeFilterPartValidChars() { + list($lw, $con) = $this->getConnecterAndLdapMock(); + $access = new Access($con, $lw); + + $input = 'okay'; + $this->assertTrue($input === $access->escapeFilterPart($input)); + } + + public function testEscapeFilterPartEscapeWildcard() { + list($lw, $con) = $this->getConnecterAndLdapMock(); + $access = new Access($con, $lw); + + $input = '*'; + $expected = '\\\\*'; + $this->assertTrue($expected === $access->escapeFilterPart($input)); + } + + public function testEscapeFilterPartEscapeWildcard2() { + list($lw, $con) = $this->getConnecterAndLdapMock(); + $access = new Access($con, $lw); + + $input = 'foo*bar'; + $expected = 'foo\\\\*bar'; + $this->assertTrue($expected === $access->escapeFilterPart($input)); + } +}
\ No newline at end of file diff --git a/apps/user_ldap/tests/user_ldap.php b/apps/user_ldap/tests/user_ldap.php index 9193a005ae5..8c8d85b3c33 100644 --- a/apps/user_ldap/tests/user_ldap.php +++ b/apps/user_ldap/tests/user_ldap.php @@ -83,6 +83,12 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { * @return void */ private function prepareAccessForCheckPassword(&$access) { + $access->expects($this->once()) + ->method('escapeFilterPart') + ->will($this->returnCallback(function($uid) { + return $uid; + })); + $access->connection->expects($this->any()) ->method('__get') ->will($this->returnCallback(function($name) { @@ -116,17 +122,34 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { })); } - public function testCheckPassword() { + public function testCheckPasswordUidReturn() { $access = $this->getAccessMock(); + $this->prepareAccessForCheckPassword($access); $backend = new UserLDAP($access); \OC_User::useBackend($backend); $result = $backend->checkPassword('roland', 'dt19'); $this->assertEquals('gunslinger', $result); + } + + public function testCheckPasswordWrongPassword() { + $access = $this->getAccessMock(); + + $this->prepareAccessForCheckPassword($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = $backend->checkPassword('roland', 'wrong'); $this->assertFalse($result); + } + + public function testCheckPasswordWrongUser() { + $access = $this->getAccessMock(); + + $this->prepareAccessForCheckPassword($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = $backend->checkPassword('mallory', 'evil'); $this->assertFalse($result); @@ -140,9 +163,23 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { $result = \OCP\User::checkPassword('roland', 'dt19'); $this->assertEquals('gunslinger', $result); + } + + public function testCheckPasswordPublicAPIWrongPassword() { + $access = $this->getAccessMock(); + $this->prepareAccessForCheckPassword($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::checkPassword('roland', 'wrong'); $this->assertFalse($result); + } + + public function testCheckPasswordPublicAPIWrongUser() { + $access = $this->getAccessMock(); + $this->prepareAccessForCheckPassword($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::checkPassword('mallory', 'evil'); $this->assertFalse($result); @@ -154,6 +191,12 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { * @return void */ private function prepareAccessForGetUsers(&$access) { + $access->expects($this->once()) + ->method('escapeFilterPart') + ->will($this->returnCallback(function($search) { + return $search; + })); + $access->expects($this->any()) ->method('getFilterPartForUserSearch') ->will($this->returnCallback(function($search) { @@ -191,28 +234,52 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { ->will($this->returnArgument(0)); } - public function testGetUsers() { + public function testGetUsersNoParam() { $access = $this->getAccessMock(); $this->prepareAccessForGetUsers($access); $backend = new UserLDAP($access); $result = $backend->getUsers(); $this->assertEquals(3, count($result)); + } + + public function testGetUsersLimitOffset() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); $result = $backend->getUsers('', 1, 2); $this->assertEquals(1, count($result)); + } + + public function testGetUsersLimitOffset2() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); $result = $backend->getUsers('', 2, 1); $this->assertEquals(2, count($result)); + } + + public function testGetUsersSearchWithResult() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); $result = $backend->getUsers('yo'); $this->assertEquals(2, count($result)); + } + + public function testGetUsersSearchEmptyResult() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); $result = $backend->getUsers('nix'); $this->assertEquals(0, count($result)); } - public function testGetUsersViaAPI() { + public function testGetUsersViaAPINoParam() { $access = $this->getAccessMock(); $this->prepareAccessForGetUsers($access); $backend = new UserLDAP($access); @@ -220,15 +287,43 @@ class Test_User_Ldap_Direct extends \PHPUnit_Framework_TestCase { $result = \OCP\User::getUsers(); $this->assertEquals(3, count($result)); + } + + public function testGetUsersViaAPILimitOffset() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::getUsers('', 1, 2); $this->assertEquals(1, count($result)); + } + + public function testGetUsersViaAPILimitOffset2() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::getUsers('', 2, 1); $this->assertEquals(2, count($result)); + } + + public function testGetUsersViaAPISearchWithResult() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::getUsers('yo'); $this->assertEquals(2, count($result)); + } + + public function testGetUsersViaAPISearchEmptyResult() { + $access = $this->getAccessMock(); + $this->prepareAccessForGetUsers($access); + $backend = new UserLDAP($access); + \OC_User::useBackend($backend); $result = \OCP\User::getUsers('nix'); $this->assertEquals(0, count($result)); diff --git a/apps/user_ldap/user_ldap.php b/apps/user_ldap/user_ldap.php index 4a147cf9884..757de6b60f4 100644 --- a/apps/user_ldap/user_ldap.php +++ b/apps/user_ldap/user_ldap.php @@ -163,6 +163,8 @@ class USER_LDAP extends BackendUtility implements \OCP\UserInterface { * Check if the password is correct without logging in the user */ public function checkPassword($uid, $password) { + $uid = $this->access->escapeFilterPart($uid); + //find out dn of the user name $filter = \OCP\Util::mb_str_replace( '%uid', $uid, $this->access->connection->ldapLoginFilter, 'UTF-8'); @@ -203,6 +205,7 @@ class USER_LDAP extends BackendUtility implements \OCP\UserInterface { * Get a list of all users. */ public function getUsers($search = '', $limit = 10, $offset = 0) { + $search = $this->access->escapeFilterPart($search); $cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset; //check if users are cached, if so return |