-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(LDAP): escape DN on check-user #44350
Conversation
/backport to stable28 |
/backport to stable27 |
/backport! to stable28 |
backporting right away to have a patch the customer can test. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So getDN does not return the raw dn but an escaped version?
Where is it escaped and how?
It is stored in an escaped way in the database. But when you use a DN as base parameter, it has to be differently encoded. It's all about the backslash. |
cf. https://github.com/nextcloud/server/blob/master/apps/user_ldap/lib/Access.php#L252 and https://github.com/nextcloud/server/blob/master/apps/user_ldap/lib/Access.php#L1600 P.S.: putting it differently, when using it in the search filter, the backslash has to be escaped, what we default to, cf. https://www.rfc-editor.org/rfc/rfc2254#page-5 |
@blizzz But I was sure we were using |
The DN is escaped in When the DN is used as base DN for operations though, the backlash must not be escaped as That is the difference. P.S.: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think this should be better documented.
the DN has to be escaped differently when used as a base and we were missing it here in the search method call in the check-user command. Signed-off-by: Arthur Schiwon <[email protected]>
c2c27e1
to
55d3a2a
Compare
Signed-off-by: Arthur Schiwon <[email protected]>
@come-nc I added a commit with the doc. Not in the user model though, because it returns only what it was being fed with. Is this acceptable? |
/backport to stable29 |
Yeah it helps. It still bugs me that we do not escape upon building the filter instead. I think we avoid double-escaping only because we do not apply escape when searching for group members, and we got lucky that uids never need escaping. server/apps/user_ldap/lib/Group_LDAP.php Line 808 in 1fb5486
|
There is no double escape per se. It is only about the backslash that is expected in different forms when used in search filter compared to when used as base. As usage in filters is the common usage, that format was chosen to be saved in the DB. |
P.S.: When is the raw uid used in a search filter? (Apart from override as uuid attribute) |
server/apps/user_ldap/lib/Group_LDAP.php Line 864 in 1fb5486
$dn may be the uid there.)
|
Indeed. In those cases when a DN is not being used to reference members 😰 But a valid case nonetheless. This is not in scope for this PR though, and also it is nothing that can be crafted by a shady user. |
/backport! to stable28 |
Summary
the DN has to be escaped differently when used as a base and we were missing it here in the search method call in the check-user command.
Checklist