Skip to content

Commit

Permalink
Merge pull request nextcloud#37201 from AaronDewes/fix/ldap-filter-ge…
Browse files Browse the repository at this point in the history
…neration

Fix: Escape group names for LDAP
  • Loading branch information
come-nc authored and AaronDewes committed Oct 2, 2023
1 parent 93ec863 commit e04cb81
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 11 deletions.
4 changes: 1 addition & 3 deletions apps/user_ldap/lib/Access.php
Original file line number Diff line number Diff line change
Expand Up @@ -1411,9 +1411,7 @@ public function escapeFilterPart($input, $allowAsterisk = false): string {
$asterisk = '*';
$input = mb_substr($input, 1, null, 'UTF-8');
}
$search = ['*', '\\', '(', ')'];
$replace = ['\\*', '\\\\', '\\(', '\\)'];
return $asterisk . str_replace($search, $replace, $input);
return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
}

/**
Expand Down
12 changes: 6 additions & 6 deletions apps/user_ldap/lib/Wizard.php
Original file line number Diff line number Diff line change
Expand Up @@ -909,7 +909,7 @@ private function composeLdapFilter(int $filterType): string {
if (is_array($objcs) && count($objcs) > 0) {
$filter .= '(|';
foreach ($objcs as $objc) {
$filter .= '(objectclass=' . $objc . ')';
$filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
$parts++;
Expand All @@ -925,7 +925,7 @@ private function composeLdapFilter(int $filterType): string {
}
$base = $this->configuration->ldapBase[0];
foreach ($cns as $cn) {
$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']);
$rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']);
if (!$this->ldap->isResource($rr)) {
continue;
}
Expand All @@ -936,10 +936,10 @@ private function composeLdapFilter(int $filterType): string {
if ($dn === false || $dn === '') {
continue;
}
$filterPart = '(memberof=' . $dn . ')';
$filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')';
if (isset($attrs['primaryGroupToken'])) {
$pgt = $attrs['primaryGroupToken'][0];
$primaryFilterPart = '(primaryGroupID=' . $pgt .')';
$primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) .')';
$filterPart = '(|' . $filterPart . $primaryFilterPart . ')';
}
$filter .= $filterPart;
Expand All @@ -963,7 +963,7 @@ private function composeLdapFilter(int $filterType): string {
if (is_array($objcs) && count($objcs) > 0) {
$filter .= '(|';
foreach ($objcs as $objc) {
$filter .= '(objectclass=' . $objc . ')';
$filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
$parts++;
Expand All @@ -973,7 +973,7 @@ private function composeLdapFilter(int $filterType): string {
if (is_array($cns) && count($cns) > 0) {
$filter .= '(|';
foreach ($cns as $cn) {
$filter .= '(cn=' . $cn . ')';
$filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')';
}
$filter .= ')';
}
Expand Down
4 changes: 2 additions & 2 deletions apps/user_ldap/tests/AccessTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -137,13 +137,13 @@ public function testEscapeFilterPartValidChars() {

public function testEscapeFilterPartEscapeWildcard() {
$input = '*';
$expected = '\\\\*';
$expected = '\\2a';
$this->assertTrue($expected === $this->access->escapeFilterPart($input));
}

public function testEscapeFilterPartEscapeWildcard2() {
$input = 'foo*bar';
$expected = 'foo\\\\*bar';
$expected = 'foo\\2abar';
$this->assertTrue($expected === $this->access->escapeFilterPart($input));
}

Expand Down

0 comments on commit e04cb81

Please sign in to comment.