From e04cb81710df07313020aa1f6759a42951739908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <91878298+come-nc@users.noreply.github.com> Date: Mon, 2 Oct 2023 09:49:22 +0200 Subject: [PATCH] Merge pull request #37201 from AaronDewes/fix/ldap-filter-generation Fix: Escape group names for LDAP --- apps/user_ldap/lib/Access.php | 4 +--- apps/user_ldap/lib/Wizard.php | 12 ++++++------ apps/user_ldap/tests/AccessTest.php | 4 ++-- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index 1cc0c62ff1d17..658de8c0b8393 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -1411,9 +1411,7 @@ public function escapeFilterPart($input, $allowAsterisk = false): string { $asterisk = '*'; $input = mb_substr($input, 1, null, 'UTF-8'); } - $search = ['*', '\\', '(', ')']; - $replace = ['\\*', '\\\\', '\\(', '\\)']; - return $asterisk . str_replace($search, $replace, $input); + return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER); } /** diff --git a/apps/user_ldap/lib/Wizard.php b/apps/user_ldap/lib/Wizard.php index 3014ec8e8a74b..29407ceb0a500 100644 --- a/apps/user_ldap/lib/Wizard.php +++ b/apps/user_ldap/lib/Wizard.php @@ -909,7 +909,7 @@ private function composeLdapFilter(int $filterType): string { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -925,7 +925,7 @@ private function composeLdapFilter(int $filterType): string { } $base = $this->configuration->ldapBase[0]; foreach ($cns as $cn) { - $rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']); + $rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']); if (!$this->ldap->isResource($rr)) { continue; } @@ -936,10 +936,10 @@ private function composeLdapFilter(int $filterType): string { if ($dn === false || $dn === '') { continue; } - $filterPart = '(memberof=' . $dn . ')'; + $filterPart = '(memberof=' . ldap_escape($dn, '', LDAP_ESCAPE_FILTER) . ')'; if (isset($attrs['primaryGroupToken'])) { $pgt = $attrs['primaryGroupToken'][0]; - $primaryFilterPart = '(primaryGroupID=' . $pgt .')'; + $primaryFilterPart = '(primaryGroupID=' . ldap_escape($pgt, '', LDAP_ESCAPE_FILTER) .')'; $filterPart = '(|' . $filterPart . $primaryFilterPart . ')'; } $filter .= $filterPart; @@ -963,7 +963,7 @@ private function composeLdapFilter(int $filterType): string { if (is_array($objcs) && count($objcs) > 0) { $filter .= '(|'; foreach ($objcs as $objc) { - $filter .= '(objectclass=' . $objc . ')'; + $filter .= '(objectclass=' . ldap_escape($objc, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; $parts++; @@ -973,7 +973,7 @@ private function composeLdapFilter(int $filterType): string { if (is_array($cns) && count($cns) > 0) { $filter .= '(|'; foreach ($cns as $cn) { - $filter .= '(cn=' . $cn . ')'; + $filter .= '(cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER) . ')'; } $filter .= ')'; } diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php index ce05839c842b2..5469b9267e7a5 100644 --- a/apps/user_ldap/tests/AccessTest.php +++ b/apps/user_ldap/tests/AccessTest.php @@ -137,13 +137,13 @@ public function testEscapeFilterPartValidChars() { public function testEscapeFilterPartEscapeWildcard() { $input = '*'; - $expected = '\\\\*'; + $expected = '\\2a'; $this->assertTrue($expected === $this->access->escapeFilterPart($input)); } public function testEscapeFilterPartEscapeWildcard2() { $input = 'foo*bar'; - $expected = 'foo\\\\*bar'; + $expected = 'foo\\2abar'; $this->assertTrue($expected === $this->access->escapeFilterPart($input)); }