fix(LDAP): escape DN on check-user#44350
Conversation
blizzz
requested review from
a team,
ArtificialOwl,
come-nc,
max-nextcloud and
sorbaugh
and removed request for
a team
|
/backport to stable28 |
|
/backport to stable27 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| $user = $access->userManager->get($uid); | ||
| $avatarAttributes = $access->getConnection()->resolveRule('avatar'); | ||
| $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); | ||
| $baseDn = $this->helper->DNasBaseParameter($user->getDN()); |
Check notice
Code scanning / Psalm
PossiblyNullReference
|
/backport! to stable28 |
|
backporting right away to have a patch the customer can test. |
come-nc
left a comment
come-nc
left a comment
There was a problem hiding this comment.
So getDN does not return the raw dn but an escaped version?
Where is it escaped and how?
It is stored in an escaped way in the database. But when you use a DN as base parameter, it has to be differently encoded. It's all about the backslash. |
|
cf. https://github.com/nextcloud/server/blob/master/apps/user_ldap/lib/Access.php#L252 and https://github.com/nextcloud/server/blob/master/apps/user_ldap/lib/Access.php#L1600 P.S.: putting it differently, when using it in the search filter, the backslash has to be escaped, what we default to, cf. https://www.rfc-editor.org/rfc/rfc2254#page-5 |
|
@blizzz But I was sure we were using |
The DN is escaped in When the DN is used as base DN for operations though, the backlash must not be escaped as That is the difference. P.S.: |
come-nc
left a comment
come-nc
left a comment
There was a problem hiding this comment.
I still think this should be better documented.
the DN has to be escaped differently when used as a base and we were missing it here in the search method call in the check-user command. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
blizzz
force-pushed
the
fix/noid/ldap-check-user-escape
branch
from
c2c27e1 to
55d3a2a
Compare
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
@come-nc I added a commit with the doc. Not in the user model though, because it returns only what it was being fed with. Is this acceptable? |
|
/backport to stable29 |
Yeah it helps. It still bugs me that we do not escape upon building the filter instead. I think we avoid double-escaping only because we do not apply escape when searching for group members, and we got lucky that uids never need escaping. server/apps/user_ldap/lib/Group_LDAP.php Line 808 in 1fb5486 |
There is no double escape per se. It is only about the backslash that is expected in different forms when used in search filter compared to when used as base. As usage in filters is the common usage, that format was chosen to be saved in the DB. |
|
P.S.: When is the raw uid used in a search filter? (Apart from override as uuid attribute) |
server/apps/user_ldap/lib/Group_LDAP.php Line 864 in 1fb5486 $dn may be the uid there.)
|
Indeed. In those cases when a DN is not being used to reference members 😰 But a valid case nonetheless. This is not in scope for this PR though, and also it is nothing that can be crafted by a shady user. |
blizzz
added
4. to release
|
/backport! to stable28 |
This comment was marked as resolved.
This comment was marked as resolved.
4 participants
Summary
the DN has to be escaped differently when used as a base and we were missing it here in the search method call in the check-user command.
Checklist