-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Escape group names for LDAP #37201
Fix: Escape group names for LDAP #37201
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense to escape all the other values which are concatenated into ldap filters in the function.
Yes, I fixed this now. I think these are all values that need escaping, but please let me know if I missed any. Also, if this gets merged, can this be backported to Nextcloud 26(.0.2)? From https://github.com/nextcloud/desktop/wiki/Backport-policy-stable-branches:
Because this fix is pretty simple, and it seems like there is still some time left until Nextcloud 27, it would be great to get this backported, because it affects every Nextcloud version. |
I did not intend to remove the other two requests, this seems to be a bug in GitHub (I just clicked "Re-request review from @come-nc"). |
I’m afraid it will be for 26.0.1, we are too close to 26 release to backport in time most likely. |
@@ -925,7 +925,7 @@ | |||
} | |||
$base = $this->configuration->ldapBase[0]; | |||
foreach ($cns as $cn) { | |||
$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']); | |||
$rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']); |
Check notice
Code scanning / Psalm
PossiblyNullArgument Note
we also have |
escapeFilterPart also has a special handling of the asterisk as first character, if allowed. diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 1cc0c62ff1d..658de8c0b83 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1411,9 +1411,7 @@ class Access extends LDAPUtility {
$asterisk = '*';
$input = mb_substr($input, 1, null, 'UTF-8');
}
- $search = ['*', '\\', '(', ')'];
- $replace = ['\\*', '\\\\', '\\(', '\\)'];
- return $asterisk . str_replace($search, $replace, $input);
+ return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
}
/**
|
For this purpose, |
@blizzz @ArtificialOwl is there anything I can do to Help this PR get merged? I'd really like to have this in the next release to save school IT admins in Rhineland-Palatinate some work at the beginning of the next school year. |
@AaronDewes from my PoV also fix the other occurrences as described in #37201 (comment) f |
I did that in f1b6ddc, did I miss any? |
In the Access class as pointed out. |
Signed-off-by: Aaron Dewes <[email protected]>
Signed-off-by: Aaron Dewes <[email protected]>
Signed-off-by: Aaron Dewes <[email protected]>
09c2ccc
to
d79def5
Compare
@joshtrichards @ArtificialOwl @blizz Can someone have a look again? This bug is really annoying to me, and it would be great to have it fixed soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: maybe add a test with parenthesis as it was the original bug
Parenthesis are correctly escaped by |
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
/backport stable27 |
/backport stable26 |
/backport to stable27 |
/backport to stable26 |
The backport to stable27 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable27
git pull origin stable27
# Create the new backport branch
git checkout -b fix/foo-stable27
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27 More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
The backport to stable26 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable26
git pull origin stable26
# Create the new backport branch
git checkout -b fix/foo-stable26
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26 More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
…neration Fix: Escape group names for LDAP
…neration Fix: Escape group names for LDAP
Summary
Nextcloud's LDAP feature allows to automatically generate queries so only certain groups are available in Nextcloud.
However, I noticed that groups may contain special characters (Like "(" or ")") that should be escaped to ensure generated queries are correct. Currently, the generated queries will be invalid and lead to 0 groups found if any groups contain such characters.
I originally encountered this issue when trying to get Nextcloud running with a MNS+ system, a very popular school managment system in Rhineland-Palatinate.
TODO
Checklist