From 783f9a17939cb510406efab94db6d646071da1a7 Mon Sep 17 00:00:00 2001 From: Daniel Cebrian Date: Wed, 25 Jan 2023 17:01:28 +0100 Subject: [PATCH] #10115 fixed login with special character in ldap --- pandora_console/include/auth/mysql.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index be845f3fc0..e33ce54f5b 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -360,7 +360,7 @@ function process_user_login_remote($login, $pass, $api=false) } $user_info = [ - 'fullname' => $login, + 'fullname' => io_safe_input($login), 'comments' => 'Imported from '.$config['auth'], ]; @@ -1565,7 +1565,7 @@ function local_ldap_search( $filter = ''; if (!empty($access_attr) && !empty($user)) { - $filter = " -s sub '(".$access_attr.'='.$user.")' "; + $filter = ' -s sub '.escapeshellarg('('.$access_attr.'='.$user.')'); } $tls = ''; @@ -1591,7 +1591,7 @@ function local_ldap_search( $ldap_admin_pass = ' -w '.escapeshellarg($ldap_admin_pass); } - $dn = " -b '".$dn."'"; + $dn = ' -b '.escapeshellarg($dn); $ldapsearch_command = 'ldapsearch -LLL -o ldif-wrap=no -o nettimeout='.$ldap_search_time.' -x'.$ldap_host.$ldap_version.' -E pr=10000/noprompt '.$ldap_admin_user.$ldap_admin_pass.$dn.$filter.$tls.' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"'; $shell_ldap_search = explode("\n", shell_exec($ldapsearch_command)); foreach ($shell_ldap_search as $line) {