From d739e531973f019bfdf99e40e1465fea50dd6bcd Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 11 Apr 2026 18:30:59 +0200
Subject: [PATCH] Auth/LDAP - move ldap_escape to caller for
 https://github.com/opnsense/core/issues/10129

Although this https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e was the correct fix for the auth sequence, other callers which search the database
with a static set of expressions are influenced by this as well.

To some degree it might be better to have different callers for this, but this increases the impact if the otherwise limited change.
---
 src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 404dfa3d7f..51bb649af6 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -392,7 +392,7 @@ class LDAP extends Base implements IAuthConnector
 
     /**
      * search user by name or expression
-     * @param string $username username(s) to search
+     * @param string $username username(s) to search (unescaped ldap search)
      * @param string $userNameAttribute ldap attribute to use for the search
      * @param string|null $extendedQuery additional search criteria (narrow down search)
      * @return array|bool
@@ -405,12 +405,11 @@ class LDAP extends Base implements IAuthConnector
             // add $userNameAttribute to search results
             $this->addSearchAttribute($userNameAttribute);
             $result = [];
-            $username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
             if (empty($extendedQuery)) {
-                $searchResults = $this->search("({$userNameAttribute}={$username_safe})");
+                $searchResults = $this->search("({$userNameAttribute}={$username})");
             } else {
                 // add additional search phrases
-                $searchResults = $this->search("(&({$userNameAttribute}={$username_safe})({$extendedQuery}))");
+                $searchResults = $this->search("(&({$userNameAttribute}={$username})({$extendedQuery}))");
             }
             if ($searchResults !== false) {
                 for ($i = 0; $i < $searchResults["count"]; $i++) {
@@ -509,7 +508,8 @@ class LDAP extends Base implements IAuthConnector
         } else {
             // we don't know this users distinguished name, try to find it
             if ($this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword)) {
-                $result = $this->searchUsers($username, $this->ldapAttributeUser, $this->ldapExtendedQuery);
+                $username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
+                $result = $this->searchUsers($username_safe, $this->ldapAttributeUser, $this->ldapExtendedQuery);
                 if ($result !== false && count($result) > 0) {
                     $user_dn = $result[0]['dn'];
                     $ldap_is_connected = $this->connect($this->ldapBindURL, $result[0]['dn'], $password);