upstream/opnsense-core
1
0
Fork 0
mirror of https://github.com/opnsense/core.git synced 2026-05-28 04:34:51 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Auth/LDAP - move ldap_escape to caller for https://github.com/opnsense/core/issues/10129

Browse source 
Although this 016f66cb46 was the correct fix for the auth sequence, other callers which search the database
with a static set of expressions are influenced by this as well.

To some degree it might be better to have different callers for this, but this increases the impact if the otherwise limited change.
This commit is contained in:
Ad Schellevis 2026-04-11 18:30:59 +02:00
parent 95483e5048
commit d739e53197
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
View file

@ -392,7 +392,7 @@ class LDAP extends Base implements IAuthConnector
/**
* search user by name or expression
* @param string $username username(s) to search
* @param string $username username(s) to search (unescaped ldap search)
* @param string $userNameAttribute ldap attribute to use for the search
* @param string|null $extendedQuery additional search criteria (narrow down search)
* @return array|bool
@ -405,12 +405,11 @@ class LDAP extends Base implements IAuthConnector
// add $userNameAttribute to search results
$this->addSearchAttribute($userNameAttribute);
$result = [];
$username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
if (empty($extendedQuery)) {
$searchResults = $this->search("({$userNameAttribute}={$username_safe})");
$searchResults = $this->search("({$userNameAttribute}={$username})");
} else {
// add additional search phrases
$searchResults = $this->search("(&({$userNameAttribute}={$username_safe})({$extendedQuery}))");
$searchResults = $this->search("(&({$userNameAttribute}={$username})({$extendedQuery}))");
}
if ($searchResults !== false) {
for ($i = 0; $i < $searchResults["count"]; $i++) {
@ -509,7 +508,8 @@ class LDAP extends Base implements IAuthConnector
} else {
// we don't know this users distinguished name, try to find it
if ($this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword)) {
$result = $this->searchUsers($username, $this->ldapAttributeUser, $this->ldapExtendedQuery);
$username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
$result = $this->searchUsers($username_safe, $this->ldapAttributeUser, $this->ldapExtendedQuery);
if ($result !== false && count($result) > 0) {
$user_dn = $result[0]['dn'];
$ldap_is_connected = $this->connect($this->ldapBindURL, $result[0]['dn'], $password);