Fix: Escape group names for LDAP #37201
Conversation
szaimen
requested review from
blizzz,
come-nc,
a team and
ArtificialOwl
and removed request for
a team
Yes, I fixed this now. I think these are all values that need escaping, but please let me know if I missed any. Also, if this gets merged, can this be backported to Nextcloud 26(.0.2)? From https://github.com/nextcloud/desktop/wiki/Backport-policy-stable-branches:
Because this fix is pretty simple, and it seems like there is still some time left until Nextcloud 27, it would be great to get this backported, because it affects every Nextcloud version. |
AaronDewes
requested review from
come-nc
and removed request for
blizzz and
ArtificialOwl
|
I did not intend to remove the other two requests, this seems to be a bug in GitHub (I just clicked "Re-request review from @come-nc"). |
I’m afraid it will be for 26.0.1, we are too close to 26 release to backport in time most likely. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -925,7 +925,7 @@ | |||
| } | |||
| $base = $this->configuration->ldapBase[0]; | |||
| foreach ($cns as $cn) { | |||
| $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']); | |||
| $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']); | |||
Check notice
Code scanning / Psalm
PossiblyNullArgument Note
come-nc
requested review from
blizzz,
a team and
ArtificialOwl
and removed request for
a team
|
we also have |
escapeFilterPart also has a special handling of the asterisk as first character, if allowed. diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 1cc0c62ff1d..658de8c0b83 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1411,9 +1411,7 @@ class Access extends LDAPUtility {
$asterisk = '*';
$input = mb_substr($input, 1, null, 'UTF-8');
}
- $search = ['*', '\\', '(', ')'];
- $replace = ['\\*', '\\\\', '\\(', '\\)'];
- return $asterisk . str_replace($search, $replace, $input);
+ return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
}
/**
|
For this purpose, |
|
@blizzz @ArtificialOwl is there anything I can do to Help this PR get merged? I'd really like to have this in the next release to save school IT admins in Rhineland-Palatinate some work at the beginning of the next school year. |
|
@AaronDewes from my PoV also fix the other occurrences as described in #37201 (comment) f |
|
I did that in f1b6ddc, did I miss any? |
|
In the Access class as pointed out. |
Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com>
Signed-off-by: Aaron Dewes <aaron.dewes@protonmail.com>
AaronDewes
force-pushed
the
fix/ldap-filter-generation
branch
from
09c2ccc
to
d79def5
Compare
|
@joshtrichards @ArtificialOwl @blizz Can someone have a look again? This bug is really annoying to me, and it would be great to have it fixed soon. |
Parenthesis are correctly escaped by |
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
/backport stable27 |
|
/backport stable26 |
|
/backport to stable27 |
|
/backport to stable26 |
|
The backport to stable27 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable27
git pull origin stable27
# Create the new backport branch
git checkout -b fix/foo-stable27
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
|
The backport to stable26 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable26
git pull origin stable26
# Create the new backport branch
git checkout -b fix/foo-stable26
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
…neration Fix: Escape group names for LDAP
…neration Fix: Escape group names for LDAP
Summary
Nextcloud's LDAP feature allows to automatically generate queries so only certain groups are available in Nextcloud.
However, I noticed that groups may contain special characters (Like "(" or ")") that should be escaped to ensure generated queries are correct. Currently, the generated queries will be invalid and lead to 0 groups found if any groups contain such characters.
I originally encountered this issue when trying to get Nextcloud running with a MNS+ system, a very popular school managment system in Rhineland-Palatinate.
TODO
Checklist