gunnar: server/kolab-webadmin/kolab-webadmin/php/admin/include ldap.class.php.in, 1.1.2.3, 1.1.2.4

Thu Dec 3 22:08:30 CET 2009

Author: gunnar

Update of /kolabrepository/server/kolab-webadmin/kolab-webadmin/php/admin/include
In directory doto:/tmp/cvs-serv754/kolab-webadmin/php/admin/include

Modified Files:
      Tag: kolab_2_2_branch
	ldap.class.php.in 
Log Message:
 kolab/issue3499 (Kolab web admin does not use LDAP escaping)

Index: ldap.class.php.in
===================================================================
RCS file: /kolabrepository/server/kolab-webadmin/kolab-webadmin/php/admin/include/ldap.class.php.in,v
retrieving revision 1.1.2.3
retrieving revision 1.1.2.4
diff -u -d -r1.1.2.3 -r1.1.2.4

--- ldap.class.php.in	3 Dec 2009 20:34:31 -0000	1.1.2.3
+++ ldap.class.php.in	3 Dec 2009 21:08:28 -0000	1.1.2.4
@@ -96,21 +96,53 @@
     return $str;
   }
 
-  function dn_escape( $str ) {
-	/*
-	 DN component escaping as described in RFC-2253
-	 */
-	$str = str_replace( '\\', '\\\\', $str );
-	$str = str_replace( ',', '\\,', $str );
-	$str = str_replace( '+', '\\,', $str );
-	$str = str_replace( '<', '\\<', $str );
-	$str = str_replace( '>', '\\>', $str );
-	$str = str_replace( ';', '\\;', $str );
-	if( $str[0] == '#' ) $str = '\\'.$str;
-	// PENDING(steffen): Escape leading/trailing spaces
-	return $str;
+  // Taken from PEAR_Net_LDAP2
+  public function dn_escape($val)
+  {
+	  // Escaping of filter meta characters
+	  $val = str_replace('\\', '\\\\', $val);
+	  $val = str_replace(',',    '\,', $val);
+	  $val = str_replace('+',    '\+', $val);
+	  $val = str_replace('"',    '\"', $val);
+	  $val = str_replace('<',    '\<', $val);
+	  $val = str_replace('>',    '\>', $val);
+	  $val = str_replace(';',    '\;', $val);
+	  $val = str_replace('#',    '\#', $val);
+	  $val = str_replace('=',    '\=', $val);
+
+	  // ASCII < 32 escaping                                                                                                                                        
+	  $val = KolabLDAP::asc2hex32($val);
+
+	  // Convert all leading and trailing spaces to sequences of \20.
+	  if (preg_match('/^(\s*)(.+?)(\s*)$/', $val, $matches)) {
+		$val = $matches[2];
+		for ($i = 0; $i < strlen($matches[1]); $i++) {
+		  $val = '\20'.$val;
+		}
+		for ($i = 0; $i < strlen($matches[3]); $i++) {
+		  $val = $val.'\20';
+		}
+	  }
+
+	  if (null === $val) $val = '\0';  // apply escaped "null" if string is empty
+
+	  return $val;
   }
-  
+
+  // Taken from PEAR_Net_LDAP2
+  public function asc2hex32($string)
+  {
+	for ($i = 0; $i < strlen($string); $i++) {
+	  $char = substr($string, $i, 1);
+	  if (ord($char) < 32) {
+		$hex = dechex(ord($char));
+		if (strlen($hex) == 1) $hex = '0'.$hex;
+		$string = str_replace($char, '\\'.$hex, $string);
+	  }
+	}
+	return $string;
+  }
+
 
   // Taken from PEAR_Net_LDAP2
   function unescape_dn_value($val)



