Skip to content

Commit

Permalink
Merge pull request #44352 from nextcloud/backport/44350/stable28
Browse files Browse the repository at this point in the history
[stable28] fix(LDAP): escape DN on check-user
  • Loading branch information
blizzz authored Apr 11, 2024
2 parents 9051cc5 + a5acdf2 commit ae87997
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
4 changes: 4 additions & 0 deletions apps/user_ldap/lib/Access.php
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,8 @@ public function executeRead(string $dn, string $attribute, string $filter) {
* Normalizes a result grom getAttributes(), i.e. handles DNs and binary
* data if present.
*
* DN values are escaped as per RFC 2253
*
* @param array $result from ILDAPWrapper::getAttributes()
* @param string $attribute the attribute name that was read
* @return string[]
Expand Down Expand Up @@ -1260,6 +1262,8 @@ private function countEntriesInSearchResults($sr): int {
/**
* Executes an LDAP search
*
* DN values in the result set are escaped as per RFC 2253
*
* @throws ServerNotAvailableException
*/
public function search(
Expand Down
3 changes: 2 additions & 1 deletion apps/user_ldap/lib/Command/CheckUser.php
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,8 @@ private function updateUser(string $uid, OutputInterface $output): void {
$attrs = $access->userManager->getAttributes();
$user = $access->userManager->get($uid);
$avatarAttributes = $access->getConnection()->resolveRule('avatar');
$result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0);
$baseDn = $this->helper->DNasBaseParameter($user->getDN());
$result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0);
foreach ($result[0] as $attribute => $valueSet) {
$output->writeln(' ' . $attribute . ': ');
foreach ($valueSet as $value) {
Expand Down
15 changes: 15 additions & 0 deletions apps/user_ldap/lib/Helper.php
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,21 @@ public function getDomainFromURL($url) {
/**
* sanitizes a DN received from the LDAP server
*
* This is used and done to have a stable format of DNs that can be compared
* and identified again. The input DN value is modified as following:
*
* 1) whitespaces after commas are removed
* 2) the DN is turned to lower-case
* 3) the DN is escaped according to RFC 2253
*
* When a future DN is supposed to be used as a base parameter, it has to be
* run through DNasBaseParameter() first, to recode \5c into a backslash
* again, otherwise the search or read operation will fail with LDAP error
* 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash
* being escaped, however.
*
* Internally, DNs are stored in their sanitized form.
*
* @param array|string $dn the DN in question
* @return array|string the sanitized DN
*/
Expand Down

0 comments on commit ae87997

Please sign in to comment.