LDAP: improve compilation of filters

12 years ago · c0328b4f0f
parent f9d4780d27
commit c0328b4f0f
2 changed files with 14 additions and 0 deletions
--- a/apps/user_ldap/lib/access.php
+++ b/apps/user_ldap/lib/access.php
@ -921,6 +921,17 @@ class Access extends LDAPUtility {
 		return $name;
 	}

+	/**
+	* @brief escapes (user provided) parts for LDAP filter
+	* @param String $input, the provided value
+	* @returns the escaped string
+	*/
+	public function escapeFilterPart($input) {
+		$search  = array('*', '\\', '(', ')');
+		$replace = array('\\*', '\\\\', '\\(', '\\)');
+		return str_replace($search, $replace, $input);
+	}
+
 	/**
 	 * @brief combines the input filters with AND
 	 * @param $filters array, the filters to connect
--- a/apps/user_ldap/user_ldap.php
+++ b/apps/user_ldap/user_ldap.php
@ -163,6 +163,8 @@ class USER_LDAP extends BackendUtility implements \OCP\UserInterface {
 	 * Check if the password is correct without logging in the user
 	 */
 	public function checkPassword($uid, $password) {
+		$uid = $this->access->escapeFilterPart($uid);
+
 		//find out dn of the user name
 		$filter = \OCP\Util::mb_str_replace(
 			'%uid', $uid, $this->access->connection->ldapLoginFilter, 'UTF-8');
@ -203,6 +205,7 @@ class USER_LDAP extends BackendUtility implements \OCP\UserInterface {
 	 * Get a list of all users.
 	 */
 	public function getUsers($search = '', $limit = 10, $offset = 0) {
+		$search = $this->access->escapeFilterPart($search);
 		$cachekey = 'getUsers-'.$search.'-'.$limit.'-'.$offset;

 		//check if users are cached, if so return