lib/Auth
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Fri Aug 10 17:40:01 CEST 2012
lib/Auth/LDAP.php | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
New commits:
commit 7f0dcaa1e430b92bab0b1f8a5e9a3369a591f0ea
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Fri Aug 10 17:36:40 2012 +0200
Escape the special characters (that seem to have an impact) in the bind password, before executing the command to obtain the user's effective rights on an object.
This resolves #963.
Neither of PHP's escapeshellcmd() nor escaleshellarg() seem to help out here. We really just need '`' and '"' to be escaped, it seems (tested with passwords containing '$', '%', '~', '(', and ')').
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 5e4c571..644ee8a 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -408,6 +408,12 @@ class LDAP
$moz_ldapsearch = "/usr/lib/mozldap/ldapsearch";
}
+ $passwd = str_replace(
+ array('"', '`'),
+ array('\"', '\`'),
+ $_SESSION['user']->user_bind_pw
+ );
+
$command = array(
$moz_ldapsearch,
'-x',
@@ -420,7 +426,7 @@ class LDAP
'-D',
'"' . $_SESSION['user']->user_bind_dn . '"',
'-w',
- '"' . $_SESSION['user']->user_bind_pw . '"',
+ '"' . $passwd . '"',
'-J',
'"' . implode(
':',
@@ -442,7 +448,8 @@ class LDAP
exec($command, $output, $return_code);
- //console("Output", $output, "Return code: " . $return_code);
+ Log::trace("LDAP: Command output:" . var_export($output, true));
+ Log::trace("Return code: " . $return_code);
$lines = array();
foreach ($output as $line_num => $line) {
More information about the commits
mailing list