View | Details | Raw Unified | Return to bug 51005
Collapse All | Expand All

(-)a/docs/manual/mod/mod_authnz_ldap.xml (-1 / +5 lines)
Lines 1284-1290 You can of course use search parameters on each of these.</p> Link Here
1284
        will search for all objects in the tree. Filters are
1284
        will search for all objects in the tree. Filters are
1285
        limited to approximately 8000 characters (the definition of
1285
        limited to approximately 8000 characters (the definition of
1286
        <code>MAX_STRING_LEN</code> in the Apache source code). This
1286
        <code>MAX_STRING_LEN</code> in the Apache source code). This
1287
        should be more than sufficient for any application.</dd>
1287
        should be more than sufficient for any application.
1288
        You can use %u in the filter, which will be replaced by the username
1289
        provided by the client. If you use it, the attribute value will be
1290
        ignored. Note that you need to escape it in your configuration file,
1291
        so type %25u.</dd>
1288
</dl>
1292
</dl>
1289
1293
1290
    <p>When doing searches, the attribute, filter and username passed
1294
    <p>When doing searches, the attribute, filter and username passed
(-)a/modules/aaa/mod_authnz_ldap.c (-21 / +50 lines)
Lines 246-266 static void authn_ldap_build_filter(char *filtbuf, Link Here
246
    }
246
    }
247
247
248
    /*
248
    /*
249
     * Create the first part of the filter, which consists of the
249
     * Now escape any LDAP metachars in the client-supplied username for the
250
     * config-supplied portions.
250
     * filter.
251
     */
252
    apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", filter, sec->attribute);
253
254
    /*
255
     * Now add the client-supplied username to the filter, ensuring that any
256
     * LDAP filter metachars are escaped.
257
     */
251
     */
258
    filtbuf_end = filtbuf + FILTER_LENGTH - 1;
252
    filtbuf_end = filtbuf + FILTER_LENGTH - 1;
253
254
    char *unescaped_user = user;
255
    /* This is the maximum size user can have (if we escape all chars) */
256
    size_t user_len = (strlen(user) * 2) + 1;
257
258
    user = apr_palloc(r->pool, user_len);
259
260
    for (p = unescaped_user, q = user;
261
         *p && q < filtbuf_end;
259
#if APR_HAS_MICROSOFT_LDAPSDK
262
#if APR_HAS_MICROSOFT_LDAPSDK
260
    for (p = user, q=filtbuf + strlen(filtbuf);
263
         ) {
261
         *p && q < filtbuf_end; ) {
262
        if (strchr("*()\\", *p) != NULL) {
264
        if (strchr("*()\\", *p) != NULL) {
263
            if ( q + 3 >= filtbuf_end)
265
            if ( q + 3 >= user_len)
264
              break;  /* Don't write part of escape sequence if we can't write all of it */
266
              break;  /* Don't write part of escape sequence if we can't write all of it */
265
            *q++ = '\\';
267
            *q++ = '\\';
266
            switch ( *p++ )
268
            switch ( *p++ )
Lines 287-297 static void authn_ldap_build_filter(char *filtbuf, Link Here
287
            *q++ = *p++;
289
            *q++ = *p++;
288
    }
290
    }
289
#else
291
#else
290
    for (p = user, q=filtbuf + strlen(filtbuf);
292
             *q++ = *p++) {
291
         *p && q < filtbuf_end; *q++ = *p++) {
292
        if (strchr("*()\\", *p) != NULL) {
293
        if (strchr("*()\\", *p) != NULL) {
293
            *q++ = '\\';
294
            *q++ = '\\';
294
            if (q >= filtbuf_end) {
295
            if (q >= user_len) {
295
              break;
296
              break;
296
            }
297
            }
297
        }
298
        }
Lines 299-310 static void authn_ldap_build_filter(char *filtbuf, Link Here
299
#endif
300
#endif
300
    *q = '\0';
301
    *q = '\0';
301
302
302
    /*
303
    char *token, *last = NULL;
303
     * Append the closing parens of the filter, unless doing so would
304
    char *filtercopy = apr_pstrdup(r->pool, sec->filter);
304
     * overrun the buffer.
305
305
     */
306
    token = apr_strtok(filtercopy, "%", &last);
306
    if (q + 2 <= filtbuf_end)
307
307
        strcat(filtbuf, "))");
308
    /* If token and filter has same length, then there's no separator char
309
     * found. */
310
    if (strlen(token) == strlen(sec->filter)) {
311
        /*
312
         * Create the first part of the filter, which consists of the
313
         * config-supplied portions.
314
         */
315
        apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=%s))", filter, sec->attribute, user);
316
    }
317
    else {
318
        /* Otherwise continue to tokenize and put this into an array. */
319
        apr_array_header_t *filter_arr = apr_array_make(r->pool, 2, sizeof(char *));
320
321
        /* Push directly the first token */
322
        APR_ARRAY_PUSH(filter_arr, char *) = token;
323
324
        while ((token = apr_strtok(NULL, "%", &last))) {
325
            if (*token == 'u') {
326
                APR_ARRAY_PUSH(filter_arr, char *) = user;
327
                APR_ARRAY_PUSH(filter_arr, char *) = token + 1;
328
            }
329
            else
330
                APR_ARRAY_PUSH(filter_arr, char *) = token;
331
        }
332
333
        /* Concatenate all tokens with the user a a separator,
334
         * and copy the result to filtbuf */
335
        apr_snprintf(filtbuf, FILTER_LENGTH, "(%s)",
336
                     apr_array_pstrcat(r->pool, filter_arr, 0));
337
    }
308
}
338
}
309
339
310
static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
340
static void *create_authnz_ldap_dir_config(apr_pool_t *p, char *d)
311
- 

Return to bug 51005