upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 54

Merge pull request #44350 from nextcloud/fix/noid/ldap-check-user-escape

Browse source 
fix(LDAP): escape DN on check-user
This commit is contained in:
Arthur Schiwon 2024-04-10 12:02:13 +02:00 committed by GitHub
commit e70cf9c14b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apps/user_ldap/lib/Access.php
View file

@ -279,6 +279,8 @@ class Access extends LDAPUtility {
* Normalizes a result grom getAttributes(), i.e. handles DNs and binary
* data if present.
*
* DN values are escaped as per RFC 2253
*
* @param array $result from ILDAPWrapper::getAttributes()
* @param string $attribute the attribute name that was read
* @return string[]
@ -1260,6 +1262,8 @@ class Access extends LDAPUtility {
/**
* Executes an LDAP search
*
* DN values in the result set are escaped as per RFC 2253
*
* @throws ServerNotAvailableException
*/
public function search(

3
apps/user_ldap/lib/Command/CheckUser.php
View file

@ -138,7 +138,8 @@ class CheckUser extends Command {
$attrs = $access->userManager->getAttributes();
$user = $access->userManager->get($uid);
$avatarAttributes = $access->getConnection()->resolveRule('avatar');
$result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0);
$baseDn = $this->helper->DNasBaseParameter($user->getDN());
$result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0);
foreach ($result[0] as $attribute => $valueSet) {
$output->writeln(' ' . $attribute . ': ');
foreach ($valueSet as $value) {

15
apps/user_ldap/lib/Helper.php
View file

@ -206,6 +206,21 @@ class Helper {
/**
* sanitizes a DN received from the LDAP server
*
* This is used and done to have a stable format of DNs that can be compared
* and identified again. The input DN value is modified as following:
*
* 1) whitespaces after commas are removed
* 2) the DN is turned to lower-case
* 3) the DN is escaped according to RFC 2253
*
* When a future DN is supposed to be used as a base parameter, it has to be
* run through DNasBaseParameter() first, to recode \5c into a backslash
* again, otherwise the search or read operation will fail with LDAP error
* 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash
* being escaped, however.
*
* Internally, DNs are stored in their sanitized form.
*
* @param array|string $dn the DN in question
* @return array|string the sanitized DN
*/