We use cookies to ensure you get the best experience on our website
Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
0ct0pu5
/
squirrelmail
1
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

sanitizing ldap search. I think, in this case it only prevents ldap search
errors. Backend does not enclose search in () and custom search options
can't be inserted. If I am wrong, attacker was able to scrap some complex
cn=*something* search expression, that could abuse ldap backend or ldap
server.

tokul há 20 anos atrás
pai
962df20899
commit
65ff8ccf8d
2 ficheiros alterados com 30 adições e 3 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 6 0
      ChangeLog
  2. 24 3
      functions/abook_ldap_server.php

+ 6 - 0
ChangeLog
Ver Ficheiro 

@@ -236,6 +236,12 @@ Version 1.5.1 -- CVS
 
   - Fixed bug #801060.  Removed option for INBOX in filters plugin as source
 
     is always INBOX.
 
   - Always show Purge link next to Trash, even when empty.
 
+  - errors in addressbook_init() function are no longer fatal. If function
 
+    fails to activate address book backend, it displays error box (with 
+    error_box() function). error box can be hidden by setting first
 
+    function argument to false.
 
+  - Sanitized search in ldap address book backend. Use of asterisk 
+    together with other symbols is not supported.
 
 
 Version 1.5.0
 
 --------------------

+ 24 - 3
functions/abook_ldap_server.php
Ver Ficheiro 

@@ -231,6 +231,23 @@ class abook_ldap_server extends addressbook_backend {
 
         }
 
     }
 
 
+    /**
 
+     * Sanitizes ldap search strings.
 
+     * See rfc2254
 
+     * @link http://www.faqs.org/rfcs/rfc2254.html
 
+     * @since 1.5.1
 
+     * @param string $string
 
+     * @return string sanitized string
 
+     */
 
+    function ldapspecialchars($string) {
 
+        $sanitized=array('\\' => '\5c',
 
+                         '*' => '\2a',
 
+                         '(' => '\28',
 
+                         ')' => '\29',
 
+                         "\x00" => '\00');
 
+
 
+        return str_replace(array_keys($sanitized),array_values($sanitized),$string);
 
+    }
 
 
     /* ========================== Public ======================== */
 
 
@@ -240,14 +257,18 @@ class abook_ldap_server extends addressbook_backend {
 
      * @return array search results
 
      */
 
     function search($expr) {
 
-
 
         /* To be replaced by advanded search expression parsing */
 
         if(is_array($expr)) return false;
 
 
         /* Encode the expression */
 
         $expr = $this->charset_encode($expr);
 
-        if(strstr($expr, '*') === false) {
 
-            $expr = "*$expr*";
 
+
 
+        /*
 
+         * allow use of one asterisk in search. 
+         * Don't allow any ldap special chars if search is different
 
+         */
 
+        if($expr!='*') {
 
+            $expr = '*' . $this->ldapspecialchars($expr) . '*';
 
         }
 
         $expression = "cn=$expr";

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5