[Pkg-owncloud-commits] [owncloud] 46/66: LDAP: improve compilation of filters

David Prévot taffit at moszumanska.debian.org
Fri Apr 18 22:49:46 UTC 2014 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v5.0.15
in repository owncloud.

commit 74a46e2a9e2c83f4a0edabd4d0fd9ba52c519e01
Author: Arthur Schiwon <blizzz at owncloud.com>
Date:   Wed Feb 19 13:13:01 2014 +0100

    LDAP: improve compilation of filters
---
 apps/user_ldap/lib/access.php | 11 +++++++++++
 apps/user_ldap/user_ldap.php  |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php
index aa8db29..44a5fe6 100644
--- a/apps/user_ldap/lib/access.php
+++ b/apps/user_ldap/lib/access.php
@@ -798,6 +798,17 @@ abstract class Access {
 	}
 
 	/**
+	* @brief escapes (user provided) parts for LDAP filter
+	* @param String $input, the provided value
+	* @returns the escaped string
+	*/
+	public function escapeFilterPart($input) {
+		$search  = array('*', '\\', '(', ')');
+		$replace = array('\\*', '\\\\', '\\(', '\\)');
+		return str_replace($search, $replace, $input);
+	}
+
+	/**
 	 * @brief combines the input filters with AND
 	 * @param $filters array, the filters to connect
 	 * @returns the combined filter
diff --git a/apps/user_ldap/user_ldap.php b/apps/user_ldap/user_ldap.php
index 60000cf..3b8089b 100644
--- a/apps/user_ldap/user_ldap.php
+++ b/apps/user_ldap/user_ldap.php
@@ -69,6 +69,8 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
 	 * Check if the password is correct without logging in the user
 	 */
 	public function checkPassword($uid, $password) {
+		$uid = $this->escapeFilterPart($uid);
+
 		//find out dn of the user name
 		$filter = \OCP\Util::mb_str_replace('%uid', $uid, $this->connection->ldapLoginFilter, 'UTF-8');
 		$ldap_users = $this->fetchListOfUsers($filter, 'dn');
@@ -104,6 +106,7 @@ class USER_LDAP extends lib\Access implements \OCP\UserInterface {
 	 * Get a list of all users.
 	 */
 	public function getUsers($search = '', $limit = 10, $offset = 0) {
+		$search = $this->escapeFilterPart($search);
 		$cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset;
 
 		//check if users are cached, if so return

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list