From c42d9d439a2aa72d0be159f793c08dfeb612eec9 Mon Sep 17 00:00:00 2001
From: AaronDewes <aaron.dewes@protonmail.com>
Date: Mon, 13 Mar 2023 18:58:59 +0000
Subject: Fix: Escape group names for LDAP

Groups may contain special characters (Like "(" or ")") that should be escaped to ensure geenrted queries are correct.

Signed-off-by: AaronDewes <aaron.dewes@protonmail.com>
---
 apps/user_ldap/lib/Wizard.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'apps')

diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php
index 3014ec8e8a7..785a0c6359a 100644
--- a/apps/user_ldap/lib/Wizard.php
+++ b/apps/user_ldap/lib/Wizard.php
@@ -973,7 +973,7 @@ class Wizard extends LDAPUtility {
 				if (is_array($cns) && count($cns) > 0) {
 					$filter .= '(|';
 					foreach ($cns as $cn) {
-						$filter .= '(cn=' . $cn . ')';
+						$filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')';
 					}
 					$filter .= ')';
 				}
-- 
cgit v1.2.3


From 13d9494af32fb30c39f7ce64f781454681eb0379 Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron.dewes@protonmail.com>
Date: Tue, 14 Mar 2023 07:41:03 +0100
Subject: Escape some more values

Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com>
---
 apps/user_ldap/lib/Wizard.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'apps')

diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php
index 785a0c6359a..29407ceb0a5 100644
--- a/apps/user_ldap/lib/Wizard.php
+++ b/apps/user_ldap/lib/Wizard.php
@@ -909,7 +909,7 @@ class Wizard extends LDAPUtility {
 				if (is_array($objcs) && count($objcs) > 0) {
 					$filter .= '(|';
 					foreach ($objcs as $objc) {
-						$filter .= '(objectclass=' . $objc . ')';
+						$filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
 					}
 					$filter .= ')';
 					$parts++;
@@ -925,7 +925,7 @@ class Wizard extends LDAPUtility {
 						}
 						$base = $this->configuration->ldapBase[0];
 						foreach ($cns as $cn) {
-							$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']);
+							$rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']);
 							if (!$this->ldap->isResource($rr)) {
 								continue;
 							}
@@ -936,10 +936,10 @@ class Wizard extends LDAPUtility {
 							if ($dn === false || $dn === '') {
 								continue;
 							}
-							$filterPart = '(memberof=' . $dn . ')';
+							$filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')';
 							if (isset($attrs['primaryGroupToken'])) {
 								$pgt = $attrs['primaryGroupToken'][0];
-								$primaryFilterPart = '(primaryGroupID=' . $pgt .')';
+								$primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) .')';
 								$filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
 							}
 							$filter .= $filterPart;
@@ -963,7 +963,7 @@ class Wizard extends LDAPUtility {
 				if (is_array($objcs) && count($objcs) > 0) {
 					$filter .= '(|';
 					foreach ($objcs as $objc) {
-						$filter .= '(objectclass=' . $objc . ')';
+						$filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
 					}
 					$filter .= ')';
 					$parts++;
-- 
cgit v1.2.3


From 16908999edae23a31b3f748c31c6c3196b6ba1da Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron.dewes@protonmail.com>
Date: Fri, 28 Apr 2023 10:04:26 +0000
Subject: Simplify escapeFilterPart

Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com>
---
 apps/user_ldap/lib/Access.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'apps')

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 0b115c42764..8086b95271f 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1421,9 +1421,7 @@ class Access extends LDAPUtility {
 			$asterisk = '*';
 			$input = mb_substr($input, 1, null, 'UTF-8');
 		}
-		$search = ['*', '\\', '(', ')'];
-		$replace = ['\\*', '\\\\', '\\(', '\\)'];
-		return $asterisk . str_replace($search, $replace, $input);
+		return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
 	}
 
 	/**
-- 
cgit v1.2.3


From d79def553f79cc448afda4de011119d1af5b002d Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron.dewes@protonmail.com>
Date: Thu, 11 May 2023 17:42:12 +0200
Subject: Fix tests

Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com>
---
 apps/user_ldap/tests/AccessTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'apps')

diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php
index ce05839c842..5469b9267e7 100644
--- a/apps/user_ldap/tests/AccessTest.php
+++ b/apps/user_ldap/tests/AccessTest.php
@@ -137,13 +137,13 @@ class AccessTest extends TestCase {
 
 	public function testEscapeFilterPartEscapeWildcard() {
 		$input = '*';
-		$expected = '\\\\*';
+		$expected = '\\2a';
 		$this->assertTrue($expected === $this->access->escapeFilterPart($input));
 	}
 
 	public function testEscapeFilterPartEscapeWildcard2() {
 		$input = 'foo*bar';
-		$expected = 'foo\\\\*bar';
+		$expected = 'foo\\2abar';
 		$this->assertTrue($expected === $this->access->escapeFilterPart($input));
 	}
 
-- 
cgit v1.2.3