- Fixed bug #801060. Removed option for INBOX in filters plugin as source
is always INBOX.
- Always show Purge link next to Trash, even when empty.
+ - errors in addressbook_init() function are no longer fatal. If function
+ fails to activate address book backend, it displays error box (with
+ error_box() function). error box can be hidden by setting first
+ function argument to false.
+ - Sanitized search in ldap address book backend. Use of asterisk
+ together with other symbols is not supported.
Version 1.5.0
--------------------
}
}
+ /**
+ * Sanitizes ldap search strings.
+ * See rfc2254
+ * @link http://www.faqs.org/rfcs/rfc2254.html
+ * @since 1.5.1
+ * @param string $string
+ * @return string sanitized string
+ */
+ function ldapspecialchars($string) {
+ $sanitized=array('\\' => '\5c',
+ '*' => '\2a',
+ '(' => '\28',
+ ')' => '\29',
+ "\x00" => '\00');
+
+ return str_replace(array_keys($sanitized),array_values($sanitized),$string);
+ }
/* ========================== Public ======================== */
* @return array search results
*/
function search($expr) {
-
/* To be replaced by advanded search expression parsing */
if(is_array($expr)) return false;
/* Encode the expression */
$expr = $this->charset_encode($expr);
- if(strstr($expr, '*') === false) {
- $expr = "*$expr*";
+
+ /*
+ * allow use of one asterisk in search.
+ * Don't allow any ldap special chars if search is different
+ */
+ if($expr!='*') {
+ $expr = '*' . $this->ldapspecialchars($expr) . '*';
}
$expression = "cn=$expr";
projects / squirrelmail.git / commitdiff