From: tokul Date: Sun, 27 Feb 2005 09:45:53 +0000 (+0000) Subject: sanitizing ldap search. I think, in this case it only prevents ldap search X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d58ed98fa224002865312f5ad9462e6ab4603d03;p=squirrelmail.git sanitizing ldap search. I think, in this case it only prevents ldap search errors. Backend does not enclose search in () and custom search options can't be inserted. If I am wrong, attacker was able to scrap some complex cn=*something* search expression, that could abuse ldap backend or ldap server. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@8894 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/ChangeLog b/ChangeLog index dddc1960..c96ad4f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -236,6 +236,12 @@ Version 1.5.1 -- CVS - Fixed bug #801060. Removed option for INBOX in filters plugin as source is always INBOX. - Always show Purge link next to Trash, even when empty. + - errors in addressbook_init() function are no longer fatal. If function + fails to activate address book backend, it displays error box (with + error_box() function). error box can be hidden by setting first + function argument to false. + - Sanitized search in ldap address book backend. Use of asterisk + together with other symbols is not supported. Version 1.5.0 -------------------- diff --git a/functions/abook_ldap_server.php b/functions/abook_ldap_server.php index bd6a5bbe..3e115177 100644 --- a/functions/abook_ldap_server.php +++ b/functions/abook_ldap_server.php @@ -231,6 +231,23 @@ class abook_ldap_server extends addressbook_backend { } } + /** + * Sanitizes ldap search strings. + * See rfc2254 + * @link http://www.faqs.org/rfcs/rfc2254.html + * @since 1.5.1 + * @param string $string + * @return string sanitized string + */ + function ldapspecialchars($string) { + $sanitized=array('\\' => '\5c', + '*' => '\2a', + '(' => '\28', + ')' => '\29', + "\x00" => '\00'); + + return str_replace(array_keys($sanitized),array_values($sanitized),$string); + } /* ========================== Public ======================== */ @@ -240,14 +257,18 @@ class abook_ldap_server extends addressbook_backend { * @return array search results */ function search($expr) { - /* To be replaced by advanded search expression parsing */ if(is_array($expr)) return false; /* Encode the expression */ $expr = $this->charset_encode($expr); - if(strstr($expr, '*') === false) { - $expr = "*$expr*"; + + /* + * allow use of one asterisk in search. + * Don't allow any ldap special chars if search is different + */ + if($expr!='*') { + $expr = '*' . $this->ldapspecialchars($expr) . '*'; } $expression = "cn=$expr";