From 327e2d96cfd955808879b8680508f47f1bd98469 Mon Sep 17 00:00:00 2001 From: tokul Date: Tue, 21 Jun 2005 09:06:04 +0000 Subject: [PATCH] adding ldap listing controls to conf.pl moving some ldap configuration options to advanced section in order to reduce number of questions in ldap configuration. blocking use of wildcard in file and db backends when listing is disabled. This should close #529563 in devel. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9641 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 6 +++ config/conf.pl | 93 +++++++++++++++++++++++++-------- functions/abook_database.php | 4 ++ functions/abook_ldap_server.php | 20 ++++--- functions/abook_local_file.php | 4 ++ functions/addressbook.php | 9 +++- 6 files changed, 108 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index 338e40d4..84c110b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -370,6 +370,12 @@ Version 1.5.1 -- CVS Martijn Brinkers for finding a lot of these. [CAN-2005-1769] - Update COPYING with new address of the FSF. - Fixed missing quote character when trying to build cid: urls. + - Added address listing functions and listing controls to address + book LDAP backend. Blocked wildcard searches in file and database + backends when listing is disabled (#529563). + - Some LDAP address book backend configuration options (listing + controls, filtering, scope limit) are moved to 'advanced + configuration' subsection. Version 1.5.0 - 2 February 2004 ------------------------------- diff --git a/config/conf.pl b/config/conf.pl index 74d8aaf0..f5d7542c 100755 --- a/config/conf.pl +++ b/config/conf.pl @@ -262,6 +262,11 @@ while ( $line = ) { $tmp =~ s/[\'\"]?,?\s*$//; $tmp =~ s/[\'\"]?\);\s*$//; $limit_scope = $tmp; + } elsif ( $tmp =~ /^\s*[\'\"]listing[\'\"]/i ) { + $tmp =~ s/^\s*[\'\"]listing[\'\"]\s*=>\s*[\'\"]?//i; + $tmp =~ s/[\'\"]?,?\s*$//; + $tmp =~ s/[\'\"]?\);\s*$//; + $listing = $tmp; } } $ldap_host[$sub] = $host; @@ -275,6 +280,7 @@ while ( $line = ) { $ldap_bindpw[$sub] = $bindpw; $ldap_protocol[$sub] = $protocol; $ldap_limit_scope[$sub] = $limit_scope; + $ldap_listing[$sub] = $listing; } elsif ( $options[0] =~ /^(data_dir|attachment_dir|theme_css|org_logo|signout_page)$/ ) { ${ $options[0] } = &change_to_rel_path($options[1]); } else { @@ -2472,6 +2478,9 @@ sub command61 { if ( $ldap_limit_scope[$count] ) { print " limit_scope: $ldap_limit_scope[$count]\n"; } + if ( $ldap_listing[$count] ) { + print " listing: $ldap_listing[$count]\n"; + } print "\n"; $count++; @@ -2526,21 +2535,12 @@ sub command61 { print "\n"; print "You can specify the maximum number of rows in the search result.\n"; - print "Default is unlimited. Press ENTER for default.\n"; + print "Default value is equal to 250 rows. Press ENTER for default.\n"; print "maxrows: "; $name = ; $name =~ s/[\r\n]//g; $ldap_maxrows[$sub] = $name; - print "\n"; - - print "You can specify an additional search filter.\n"; - print "This could be something like \"(objectclass=posixAccount)\".\n"; - print "Default is no extra filter. Press ENTER for default.\n"; - print "filter: "; - $name = ; - $name =~ s/[\r|\n]//g; - $ldap_filter[$sub] = $name; print "\n"; @@ -2574,20 +2574,63 @@ sub command61 { print "\n"; - print "You can control search scope here.\n"; - print "This option is specific to Microsoft ADS implementation.\n"; - print "It requires use of v3 or newer LDAP protocol.\n"; - print "Don't enable it, if you use other LDAP server.\n"; + print "This configuration section allows to set some rarely used\n"; + print "options and options specific to some LDAP implementations.\n"; print "\n"; - print "Limit ldap scope? (y/N):"; - $name = ; - if ( $name =~ /^y\n/i ) { - $name = 'true'; + print "Do you want to set advanced LDAP directory settings? (y/N):"; + $ldap_advanced_settings = ; + if ( $ldap_advanced_settings =~ /^y\n/i ) { + $ldap_advanced_settings = 'true'; } else { - $name = 'false'; + $ldap_advanced_settings = 'false'; } - $ldap_limit_scope[$sub] = $name; + if ($ldap_advanced_settings eq 'true') { + print "\n"; + + print "You can control LDAP directory listing here. This option can\n"; + print "be useful if you run small LDAP server and want to provide listing\n"; + print "of all addresses stored in LDAP to users of webmail interface.\n"; + print "Number of displayed entries is limited by maxrows setting.\n"; + print "\n"; + print "Don't enable this option for public LDAP directories.\n"; + print "This feature is experimental.\n"; + print "\n"; + print "Allow listing of LDAP directory? (y/N):"; + $name = ; + if ( $name =~ /^y\n/i ) { + $name = 'true'; + } else { + $name = 'false'; + } + $ldap_listing[$sub] = $name; + + print "\n"; + + print "You can specify an additional search filter.\n"; + print "This could be something like \"(objectclass=posixAccount)\".\n"; + print "No filtering is performed by default. Press ENTER for default.\n"; + print "filter: "; + $name = ; + $name =~ s/[\r|\n]//g; + $ldap_filter[$sub] = $name; + + print "\n"; + + print "You can control search scope here.\n"; + print "This option is specific to Microsoft ADS implementation.\n"; + print "It requires use of v3 or newer LDAP protocol.\n"; + print "Don't enable it, if you use other LDAP server.\n"; + print "\n"; + print "Limit ldap scope? (y/N):"; + $name = ; + if ( $name =~ /^y\n/i ) { + $name = 'true'; + } else { + $name = 'false'; + } + $ldap_limit_scope[$sub] = $name; + } print "\n"; } elsif ( $input =~ /^\s*-\s*[0-9]?/ ) { @@ -2610,6 +2653,7 @@ sub command61 { @new_ldap_binddn = (); @new_ldap_protocol = (); @new_ldap_limit_scope = (); + @new_ldap_listing = (); while ( $count <= $#ldap_host ) { if ( $count != $rem_num ) { @@ -2624,6 +2668,7 @@ sub command61 { @new_ldap_bindpw = ( @new_ldap_bindpw, $ldap_bindpw[$count] ); @new_ldap_protocol = ( @new_ldap_protocol, $ldap_protocol[$count] ); @new_ldap_limit_scope = ( @new_ldap_limit_scope, $ldap_limit_scope[$count] ); + @new_ldap_listing = ( @new_ldap_listing, $ldap_listing[$count] ); } $count++; } @@ -2638,6 +2683,7 @@ sub command61 { @ldap_bindpw = @new_ldap_bindpw; @ldap_protocol = @new_ldap_protocol; @ldap_limit_scope = @new_ldap_limit_scope; + @ldap_listing = @new_ldap_listing; } elsif ( $input =~ /^\s*\?\s*/ ) { print ".-------------------------.\n"; @@ -3440,7 +3486,7 @@ sub save_data { } if ( $ldap_protocol[$count] ) { print CF ",\n"; - # integer + # integer print CF " 'protocol' => $ldap_protocol[$count]"; } if ( $ldap_limit_scope[$count] ) { @@ -3448,6 +3494,11 @@ sub save_data { # boolean print CF " 'limit_scope' => $ldap_limit_scope[$count]"; } + if ( $ldap_listing[$count] ) { + print CF ",\n"; + # boolean + print CF " 'listing' => $ldap_listing[$count]"; + } print CF "\n"; print CF ");\n"; print CF "\n"; diff --git a/functions/abook_database.php b/functions/abook_database.php index 2a491577..7a386e7c 100644 --- a/functions/abook_database.php +++ b/functions/abook_database.php @@ -190,6 +190,10 @@ class abook_database extends addressbook_backend { return; } + // don't allow wide search when listing is disabled. + if ($expr=='*' && ! $this->listing) + return array(); + /* Make regexp from glob'ed expression */ $expr = str_replace('?', '_', $expr); $expr = str_replace('*', '%', $expr); diff --git a/functions/abook_ldap_server.php b/functions/abook_ldap_server.php index 935c15c4..df618b8b 100644 --- a/functions/abook_ldap_server.php +++ b/functions/abook_ldap_server.php @@ -417,14 +417,22 @@ class abook_ldap_server extends addressbook_backend { if(is_array($expr)) return false; // don't allow wide search when listing is disabled. - if ($expr=='*' && ! $this->listing) - return array(); + if ($expr=='*' && ! $this->listing) { + return array(); + } elseif ($expr=='*') { + // allow use of wildcard when listing is enabled. + $expression = '(cn=*)'; + } else { + /* Convert search from user's charset to the one used in ldap */ + $expr = $this->charset_encode($expr); - /* Convert search from user's charset to the one used in ldap */ - $expr = $this->charset_encode($expr); + /* Make sure that search does not contain ldap special chars */ + $expression = '(cn=*' . $this->ldapspecialchars($expr) . '*)'; - /* Make sure that search does not contain ldap special chars */ - $expression = '(cn=*' . $this->ldapspecialchars($expr) . '*)'; + /* Undo sanitizing of * symbol */ + $expression = str_replace('\2a','*',$expression); + /* TODO: implement any single character (?) matching */ + } /* Add search filtering */ if ($this->filter!='') diff --git a/functions/abook_local_file.php b/functions/abook_local_file.php index 6dca53eb..202d641d 100644 --- a/functions/abook_local_file.php +++ b/functions/abook_local_file.php @@ -259,6 +259,10 @@ class abook_local_file extends addressbook_backend { /* To be replaced by advanded search expression parsing */ if(is_array($expr)) { return; } + // don't allow wide search when listing is disabled. + if ($expr=='*' && ! $this->listing) + return array(); + /* Make regexp from glob'ed expression * May want to quote other special characters like (, ), -, [, ], etc. */ $expr = str_replace('?', '.', $expr); diff --git a/functions/addressbook.php b/functions/addressbook.php index f1dcf122..9642b08d 100644 --- a/functions/addressbook.php +++ b/functions/addressbook.php @@ -191,7 +191,7 @@ function abook_create_form($form_url,$name,$title,$button,$defdata=array()) { } -/* +/** * Had to move this function outside of the Addressbook Class * PHP 4.0.4 Seemed to be having problems with inline functions. * Note: this can return now since we don't support 4.0.4 anymore. @@ -865,6 +865,10 @@ class addressbook_backend { /** * Search for entries in backend + * + * Working backend should support use of wildcards. * symbol + * should match one or more symbols. ? symbol should match any + * single symbol. * @param string $expression * @return bool */ @@ -885,6 +889,9 @@ class addressbook_backend { /** * List all entries in backend + * + * Working backend should provide this function or at least + * dummy function that returns empty array. * @return bool */ function list_addr() { -- 2.25.1