From a7fb09d6b33199ddc90fd16e5d197cb26202b7f1 Mon Sep 17 00:00:00 2001
From: nuxsmin <nuxsmin@syspass.org>
Date: Mon, 31 Jul 2017 08:43:42 +0200
Subject: [PATCH] * [FIX] Fixed LDAP filtering by escaping special chars.
 Thanks to @pirrimanson2000 for the feedback. Fixes #667

---
 inc/SP/Auth/Ldap/LdapBase.class.php  | 28 ++++++++++++++--------------
 inc/SP/Auth/Ldap/LdapMsAds.class.php | 15 +++++++++------
 inc/SP/Auth/Ldap/LdapStd.class.php   | 14 ++++++++------
 inc/SP/Util/Util.class.php           |  2 +-
 4 files changed, 32 insertions(+), 27 deletions(-)

diff --git a/inc/SP/Auth/Ldap/LdapBase.class.php b/inc/SP/Auth/Ldap/LdapBase.class.php
index fed253e4..3c8ef4f4 100644
--- a/inc/SP/Auth/Ldap/LdapBase.class.php
+++ b/inc/SP/Auth/Ldap/LdapBase.class.php
@@ -204,7 +204,7 @@ abstract class LdapBase implements LdapInterface, AuthInterface
     /**
      * Realizar la autentificación con el servidor de LDAP.
      *
-     * @param string $bindDn   con el DN del usuario
+     * @param string $bindDn con el DN del usuario
      * @param string $bindPass con la clave del usuario
      * @throws SPException
      * @return bool
@@ -257,8 +257,8 @@ abstract class LdapBase implements LdapInterface, AuthInterface
     /**
      * Devolver los resultados de una paginación
      *
-     * @param string $filter     Filtro a utilizar
-     * @param array  $attributes Atributos a devolver
+     * @param string $filter Filtro a utilizar
+     * @param array $attributes Atributos a devolver
      * @return bool|array
      */
     protected function getResults($filter, array $attributes = null)
@@ -329,6 +329,16 @@ abstract class LdapBase implements LdapInterface, AuthInterface
         $this->serverPort = $this->getServerPort();
     }
 
+    /**
+     * Devolver el puerto del servidor si está establecido
+     *
+     * @return int
+     */
+    protected function getServerPort()
+    {
+        return preg_match('/[\d\.]+:(\d+)/', $this->server, $port) ? $port[1] : 389;
+    }
+
     /**
      * @return string
      */
@@ -462,16 +472,6 @@ abstract class LdapBase implements LdapInterface, AuthInterface
         return true;
     }
 
-    /**
-     * Devolver el puerto del servidor si está establecido
-     *
-     * @return int
-     */
-    protected function getServerPort()
-    {
-        return preg_match('/[\d\.]+:(\d+)/', $this->server, $port) ? $port[1] : 389;
-    }
-
     /**
      * Obtener el servidor de LDAP a utilizar
      *
@@ -589,7 +589,7 @@ abstract class LdapBase implements LdapInterface, AuthInterface
     protected function searchGroupDN()
     {
         $group = $this->getGroupName() ?: $this->group;
-        $filter = '(cn=' . $group . ')';
+        $filter = '(cn=' . ldap_escape($group) . ')';
 
         $searchResults = $this->getResults($filter, ['dn', 'cn']);
 
diff --git a/inc/SP/Auth/Ldap/LdapMsAds.class.php b/inc/SP/Auth/Ldap/LdapMsAds.class.php
index 8463225f..9b2842e4 100644
--- a/inc/SP/Auth/Ldap/LdapMsAds.class.php
+++ b/inc/SP/Auth/Ldap/LdapMsAds.class.php
@@ -42,16 +42,17 @@ class LdapMsAds extends LdapBase
      * Devolver el filtro para comprobar la pertenecia al grupo
      *
      * @return mixed
+     * @throws \SP\Core\Exceptions\SPException
      */
     protected function getGroupDnFilter()
     {
         if (empty($this->group)) {
             return '(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))';
-        } else {
-            $groupDN = $this->searchGroupDN();
-
-            return '(&(|(memberOf=' . $groupDN . ')(groupMembership=' . $groupDN . ')(memberof:1.2.840.113556.1.4.1941:=' . $groupDN . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
         }
+
+        $groupDN = ldap_escape($this->searchGroupDN());
+
+        return '(&(|(memberOf=' . $groupDN . ')(groupMembership=' . $groupDN . ')(memberof:1.2.840.113556.1.4.1941:=' . $groupDN . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
     }
 
     /**
@@ -99,7 +100,9 @@ class LdapMsAds extends LdapBase
      */
     protected function getUserDnFilter()
     {
-        return '(&(|(samaccountname=' . $this->userLogin . ')(cn=' . $this->userLogin . ')(uid=' . $this->userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))(objectCategory=person))';
+        $userLogin = ldap_escape($this->userLogin);
+
+        return '(&(|(samaccountname=' . $userLogin . ')(cn=' . $userLogin . ')(uid=' . $userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))(objectCategory=person))';
     }
 
     /**
@@ -125,7 +128,7 @@ class LdapMsAds extends LdapBase
         }
 
         $groupDN = $this->LdapAuthData->getGroupDn();
-        $filter = '(memberof:1.2.840.113556.1.4.1941:=' . $groupDN . ')';
+        $filter = '(memberof:1.2.840.113556.1.4.1941:=' . ldap_escape($groupDN) . ')';
 
         $searchResults = $this->getResults($filter, ['sAMAccountName']);
 
diff --git a/inc/SP/Auth/Ldap/LdapStd.class.php b/inc/SP/Auth/Ldap/LdapStd.class.php
index fc127fc1..4e041d81 100644
--- a/inc/SP/Auth/Ldap/LdapStd.class.php
+++ b/inc/SP/Auth/Ldap/LdapStd.class.php
@@ -47,11 +47,11 @@ class LdapStd extends LdapBase
     {
         if (empty($this->group)) {
             return '(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject))';
-        } else {
-            $groupDN = $this->searchGroupDN();
-
-            return '(&(|(memberOf=' . $groupDN . ')(groupMembership=' . $groupDN . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
         }
+
+        $groupDN = ldap_escape($this->searchGroupDN());
+
+        return '(&(|(memberOf=' . $groupDN . ')(groupMembership=' . $groupDN . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
     }
 
     /**
@@ -71,7 +71,9 @@ class LdapStd extends LdapBase
      */
     protected function getUserDnFilter()
     {
-        return '(&(|(samaccountname=' . $this->userLogin . ')(cn=' . $this->userLogin . ')(uid=' . $this->userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
+        $userLogin = ldap_escape($this->userLogin);
+
+        return '(&(|(samaccountname=' . $userLogin . ')(cn=' . $userLogin . ')(uid=' . $userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
     }
 
     /**
@@ -99,7 +101,7 @@ class LdapStd extends LdapBase
         $userDN = $this->LdapAuthData->getDn();
         $groupName = $this->getGroupName() ?: $this->group;
 
-        $filter = '(&(cn=' . $groupName . ')(|(member=' . $userDN . ')(uniqueMember=' . $userDN . '))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=group)))';
+        $filter = '(&(cn=' . ldap_escape($groupName) . ')(|(member=' . ldap_escape($userDN) . ')(uniqueMember=' . ldap_escape($userDN) . '))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=group)))';
 
         $searchResults = $this->getResults($filter, ['member', 'uniqueMember']);
 
diff --git a/inc/SP/Util/Util.class.php b/inc/SP/Util/Util.class.php
index f533dc98..14278758 100644
--- a/inc/SP/Util/Util.class.php
+++ b/inc/SP/Util/Util.class.php
@@ -386,7 +386,7 @@ class Util
      */
     public static function getVersion($retBuild = false, $normalized = false)
     {
-        $build = 17072504;
+        $build = 17073101;
         $version = [2, 1, 12];
 
         if ($normalized === true) {