Skip to content

add ldap escaping for RFC 2253 #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

add ldap escaping for RFC 2253 #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion src/auth/db-ldap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,6 @@ static int db_ldap_request_bind(struct ldap_connection *conn,
i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_AUTH ||
conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
i_assert(conn->pending_count == 0);

request->msgid = ldap_bind(conn->ld, brequest->dn,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrelated whitespace change

request->auth_request->mech_password,
LDAP_AUTH_SIMPLE);
Expand Down Expand Up @@ -1435,6 +1434,35 @@ db_ldap_value_get_var_expand_table(struct auth_request *auth_request,
return table;
}

/* rfc2253 escaping */
#define IS_LDAPDN_ESCAPED_CHAR(c) \
((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c) == '<' || (c) == '>' || (c) == ';')
Copy link

@nicolas-grekas nicolas-grekas Aug 24, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about =, #, \r, and leading/trailing white spaces?


const char *ldapdn_escape(const char *str,
const struct auth_request *auth_request ATTR_UNUSED)
{
const char *p;
string_t *ret;

for (p = str; *p != '\0'; p++) {
if (IS_LDAPDN_ESCAPED_CHAR(*p))
break;
}

if (*p == '\0')
return str;

ret = t_str_new((size_t) (p - str) + 64);
str_append_n(ret, str, (size_t) (p - str));

for (; *p != '\0'; p++) {
if (IS_LDAPDN_ESCAPED_CHAR(*p))
str_append_c(ret, '\\');
str_append_c(ret, *p);
}
return str_c(ret);
}

#define IS_LDAP_ESCAPED_CHAR(c) \
((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\')

Expand Down
2 changes: 2 additions & 0 deletions src/auth/db-ldap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,8 @@ void db_ldap_enable_input(struct ldap_connection *conn, bool enable);

const char *ldap_escape(const char *str,
const struct auth_request *auth_request);
const char *ldapdn_escape(const char *str,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just extend ldap_escape?

const struct auth_request *auth_request);
const char *ldap_get_error(struct ldap_connection *conn);

struct db_ldap_result_iterate_context *
Expand Down
7 changes: 3 additions & 4 deletions src/auth/passdb-ldap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,9 +198,8 @@ static void ldap_auth_bind(struct ldap_connection *conn,
auth_request);
return;
}

brequest->request.callback = ldap_auth_bind_callback;
db_ldap_request(conn, &brequest->request);
brequest->request.callback = ldap_auth_bind_callback;
db_ldap_request(conn, &brequest->request);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spaces vs tabs here

}

static void
Expand Down Expand Up @@ -363,7 +362,7 @@ ldap_verify_plain_auth_bind_userdn(struct auth_request *auth_request,
brequest->request.type = LDAP_REQUEST_TYPE_BIND;

dn = t_str_new(512);
auth_request_var_expand(dn, conn->set.auth_bind_userdn, auth_request, ldap_escape);
auth_request_var_expand(dn, conn->set.auth_bind_userdn, auth_request, ldapdn_escape);

brequest->dn = p_strdup(auth_request->pool, str_c(dn));
ldap_auth_bind(conn, brequest);
Expand Down