sanitizing ldap search. I think, in this case it only prevents ldap search

[squirrelmail.git] / functions / abook_ldap_server.php

diff --git a/functions/abook_ldap_server.php b/functions/abook_ldap_server.php
index bd6a5bbec19669fed0452d65666060d31d6acb8b..3e1151775192312bf09e44c801faec2436c5d9b3 100644 (file)
--- a/functions/abook_ldap_server.php
+++ b/functions/abook_ldap_server.php
@@ -231,6 +231,23 @@ class abook_ldap_server extends addressbook_backend {
         }
     }
 
+    /**
+     * Sanitizes ldap search strings.
+     * See rfc2254
+     * @link http://www.faqs.org/rfcs/rfc2254.html
+     * @since 1.5.1
+     * @param string $string
+     * @return string sanitized string
+     */
+    function ldapspecialchars($string) {
+        $sanitized=array('\\' => '\5c',
+                         '*' => '\2a',
+                         '(' => '\28',
+                         ')' => '\29',
+                         "\x00" => '\00');
+
+        return str_replace(array_keys($sanitized),array_values($sanitized),$string);
+    }
 
     /* ========================== Public ======================== */
 
@@ -240,14 +257,18 @@ class abook_ldap_server extends addressbook_backend {
      * @return array search results
      */
     function search($expr) {
-
         /* To be replaced by advanded search expression parsing */
         if(is_array($expr)) return false;
 
         /* Encode the expression */
         $expr = $this->charset_encode($expr);
-        if(strstr($expr, '*') === false) {
-            $expr = "*$expr*";
+
+        /*
+         * allow use of one asterisk in search. 
+         * Don't allow any ldap special chars if search is different
+         */
+        if($expr!='*') {
+            $expr = '*' . $this->ldapspecialchars($expr) . '*';
         }
         $expression = "cn=$expr";