MFB: kolab/issue3499 (Kolab web admin does not use LDAP escaping)

author: Gunnar Wrobel <wrobel@pardus.de> 2010-01-11 09:30:11 (GMT)
committer: Gunnar Wrobel <wrobel@pardus.de> 2010-01-11 09:30:11 (GMT)
commit: d90a77e0495d85fb95747859646624cf78108985 (patch)
tree: f8629d2d47db18f07543f1b95c9bf007e3141aa8 /www
parent: 1bec83373c38efe400a1a56c0e6c334f753f99d9 (diff)
download: kolab-webadmin-d90a77e0495d85fb95747859646624cf78108985.tar.gz
7 files changed, 23 insertions, 23 deletions
diff --git a/www/admin/addressbook/addr.php.in b/www/admin/addressbook/addr.php.in
index 84f0c27..bb70ecf 100644
--- a/www/admin/addressbook/addr.php.in
+++ b/www/admin/addressbook/addr.php.in
@@ -163,7 +163,7 @@ if( !$errors ) {
 
 		if ($action == "save") {
 		  if (!$errors) {
-			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",".$addressbook_root;
+			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$addressbook_root;
 			else $newdn = $dn;
 			debug("action=save, dn=$dn, newdn=$newdn<br/>\n");
 			if (strcmp($dn,$newdn) != 0) {
@@ -185,7 +185,7 @@ if( !$errors ) {
 				  foreach( $ldap_object as $k => $v ) if( $v == array() ) unset( $ldap_object[$k] );
 
 				  // Try to rename the object
-				  if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], $addressbook_root, true)) {
+				  if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), $addressbook_root, true)) {
 					array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 												$newdn, ldap_error($ldap->connection)));
 				  }
@@ -221,7 +221,7 @@ if( !$errors ) {
 		  } 
 		} else {
 		  if (!$errors) {
-			$dn = "cn=".$ldap_object['cn'].",".$addressbook_root;
+			$dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$addressbook_root;
 			foreach( $ldap_object as $k => $v ) if( $v == array() ) unset( $ldap_object[$k] );
 			if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) {
 			  array_push($errors, sprintf(_("LDAP Error: could not add object %s: %s"), $dn,
diff --git a/www/admin/administrator/admin.php.in b/www/admin/administrator/admin.php.in
index 1c2aced..74ed95b 100644
--- a/www/admin/administrator/admin.php.in
+++ b/www/admin/administrator/admin.php.in
@@ -197,7 +197,7 @@ switch( $action ) {
 	   
        if ($action == "save") {
 		 if (!$errors) {
-		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   else $newdn = $dn;
 		   if (!$visible && !strstr($newdn,$dn_add)) {
 			 list($cn,$rest) = split(',', $newdn, 2); 
@@ -212,7 +212,7 @@ switch( $action ) {
 				 $ldap_object['userPassword'] = $oldattrs['userPassword'][0];
 
 			   // Try to rename the object
-			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], "cn=internal,".$domain_dn, true)) {
+			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), "cn=internal,".$domain_dn, true)) {
 				 array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											 $newdn, ldap_error($ldap->connection)));
 			   }
@@ -249,7 +249,7 @@ switch( $action ) {
        } else {
 		 // firstsave
 		 if (!$errors) {
-		   $dn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   $dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   debug("Calling ldap_add with dn=$dn");
 		   // Add object to db
 		   if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) 
diff --git a/www/admin/distributionlist/list.php.in b/www/admin/distributionlist/list.php.in
index 58ea132..8b38c6b 100644
--- a/www/admin/distributionlist/list.php.in
+++ b/www/admin/distributionlist/list.php.in
@@ -184,7 +184,7 @@ if( !$errors ) {
 
 		if ($action == "save") {
 		  if (!$errors) {
-			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",".$dl_root;
+			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$dl_root;
 			else $newdn = $dn;
 			if (strcmp($dn,$newdn) != 0) {
 			  if (($result=ldap_read($ldap->connection,$dn,"(objectclass=*)")) &&
@@ -192,7 +192,7 @@ if( !$errors ) {
 				  ($oldattrs=ldap_get_attributes($ldap->connection,$entry))) {
 
 				// Try to rename the object
-				if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], $dl_root, true)) {
+				if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), $dl_root, true)) {
 				  array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											  $newdn, ldap_error($ldap->connection)));
 				}
@@ -226,7 +226,7 @@ if( !$errors ) {
 		  // firstsave
 		  if (!$errors) {
 			if( !$ldap_object['member'] ) unset($ldap_object['member']); 
-			$dn = "cn=".$ldap_object['cn'].",".$dl_root;
+			$dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$dl_root;
 			if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) {
 			  array_push($errors, sprintf( _("LDAP Error: Could not add object %s: %s"), $dn,
 										   ldap_error($ldap->connection)));
@@ -242,7 +242,7 @@ if( !$errors ) {
 				if( $ldap->countMail( $_SESSION['base_dn'], $ldap_object['cn'].'@'.$domain, $dn ) > 0 ) {
 				  // Ups!!!
 				  $cn = $ldap_object['cn'];
-				  $newcn = md5sum( $dn.$cn );
+				  $newcn = md5( $dn.$cn );
 				  $ldap_object['cn'] = $newcn; 
 				  $ldap_object['dn'] = 'cn='.$ldap->escape($newcn).','.$dl_root;
 				  if (!ldap_rename($ldap->connection, $dn, 'cn='.$ldap->escape($newcn), $dl_root,true)) {
diff --git a/www/admin/domainmaintainer/domainmaintainer.php.in b/www/admin/domainmaintainer/domainmaintainer.php.in
index a48fb9c..13d7e26 100644
--- a/www/admin/domainmaintainer/domainmaintainer.php.in
+++ b/www/admin/domainmaintainer/domainmaintainer.php.in
@@ -181,7 +181,7 @@ switch( $action ) {
 	   
        if ($action == "save") {
 		 if (!$errors) {
-		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   else $newdn = $dn;
 		   if (!$visible && !strstr($newdn,$dn_add)) {
 			 list($cn,$rest) = split(',', $newdn, 2); 
@@ -196,7 +196,7 @@ switch( $action ) {
 				 $ldap_object['userPassword'] = $oldattrs['userPassword'][0];
 
 			   // Try to rename the object
-			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], "cn=internal,".$domain_dn, true)) {
+			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), "cn=internal,".$domain_dn, true)) {
 				 array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											 $newdn, ldap_error($ldap->connection)));
 			   }
@@ -255,7 +255,7 @@ switch( $action ) {
        } else {
 		 // firstsave
 		 if (!$errors) {
-		   $dn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   $dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   debug("Calling ldap_add with dn=$dn");
 		   if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) 
 			 array_push($errors, sprintf(_("LDAP Error: could not add object %s: %s"), $dn,
diff --git a/www/admin/maintainer/maintainer.php.in b/www/admin/maintainer/maintainer.php.in
index 853962e..35b521e 100644
--- a/www/admin/maintainer/maintainer.php.in
+++ b/www/admin/maintainer/maintainer.php.in
@@ -194,7 +194,7 @@ switch( $action ) {
 	   
        if ($action == "save") {
 		 if (!$errors) {
-		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   else $newdn = $dn;
 		   if (!$visible && !strstr($newdn,$dn_add)) {
 			 list($cn,$rest) = split(',', $newdn, 2); 
@@ -209,7 +209,7 @@ switch( $action ) {
 				 $ldap_object['userPassword'] = $oldattrs['userPassword'][0];
 
 			   // Try to rename the object
-			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], "cn=internal,".$domain_dn, true)) {
+			   if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), "cn=internal,".$domain_dn, true)) {
 				 array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											 $newdn, ldap_error($ldap->connection)));
 			   }
@@ -251,7 +251,7 @@ switch( $action ) {
        } else {
 		 // firstsave
 		 if (!$errors) {
-		   $dn = "cn=".$ldap_object['cn'].",cn=internal,".$domain_dn;
+		   $dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",cn=internal,".$domain_dn;
 		   debug("Calling ldap_add with dn=$dn");
 		   if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) 
 			 array_push($errors, sprintf( _("LDAP Error: could not add object %s: %s"), $dn,
diff --git a/www/admin/sharedfolder/sf.php.in b/www/admin/sharedfolder/sf.php.in
index 018726b..38757dc 100644
--- a/www/admin/sharedfolder/sf.php.in
+++ b/www/admin/sharedfolder/sf.php.in
@@ -215,7 +215,7 @@ if( !$errors ) {
 
 		if ($action == "save") {
 		  if (!$errors) {
-			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap_object['cn'].",".$sf_root;
+			if (!empty($ldap_object['cn'])) $newdn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$sf_root;
 			else $newdn = $dn;
 			if (strcmp($dn,$newdn) != 0) {
 			  if (($result=ldap_read($ldap->connection,$dn,"(objectclass=*)")) &&
@@ -223,7 +223,7 @@ if( !$errors ) {
 				  ($oldattrs=ldap_get_attributes($ldap->connection,$entry))) {
 
 				// Try to rename the object
-				if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], $sf_root, true)) {
+				if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), $sf_root, true)) {
 				  array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											  $newdn, ldap_error($ldap->connection)));
 				}
@@ -255,7 +255,7 @@ if( !$errors ) {
 		  } 
 		} else {
 		  if (!$errors) {
-			$dn = "cn=".$ldap_object['cn'].",".$sf_root;
+			$dn = "cn=".$ldap->dn_escape($ldap_object['cn']).",".$sf_root;
 			$ldap_object['kolabHomeServer'] = trim($_POST['kolabhomeserver']);
 			if ($dn && !ldap_add($ldap->connection, $dn, $ldap_object)) 
 			  array_push($errors, sprintf(_("LDAP Error: could not add object %s: %s"), $dn, 
diff --git a/www/admin/user/user.php.in b/www/admin/user/user.php.in
index a950a88..3c48400 100644
--- a/www/admin/user/user.php.in
+++ b/www/admin/user/user.php.in
@@ -613,7 +613,7 @@ switch( $action ) {
 
 			   if ( !$errors ) {
 				 // Try to rename the object
-				 if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap_object['cn'], $domain_dn, true)) {
+				 if (!ldap_rename($ldap->connection, $dn, "cn=" . $ldap->dn_escape($ldap_object['cn']), $domain_dn, true)) {
 				   array_push($errors, sprintf(_("LDAP Error: could not rename %s to %s: %s"), $dn,
 											   $newdn, ldap_error($ldap->connection)));
 				 }
@@ -656,7 +656,7 @@ switch( $action ) {
 			 if( $ldap->countMail( $_SESSION['base_dn'], $alias, $dn ) > 0 ) {
 			   // Ups!!!
 			   $alias = $ldap_object['alias'][$i];
-			   $newalias = md5sum( $dn.$alias ).'@'.substr( $alias, 0, strpos( $alias, '@' ) );
+			   $newalias = md5( $dn.$alias ).'@'.substr( $alias, 0, strpos( $alias, '@' ) );
 			   $ldap_object['alias'][$i] = $newalias;
 			   if (!ldap_modify($ldap->connection, $dn, $ldap_object)) {
 				 $errors[] = sprintf(_("LDAP Error: Could not modify object %s: %s"), $dn, 
@@ -693,7 +693,7 @@ switch( $action ) {
 		   if( $ldap->countMail( $_SESSION['base_dn'], $ldap_object['mail'], $dn ) > 0 ) {
 			 // Ups!!!
 			 $mail = $ldap_object['mail'];
-			 $newmail = md5sum( $dn.$mail ).'@'.substr( $mail, 0, strpos( $mail, '@' ) );
+			 $newmail = md5( $dn.$mail ).'@'.substr( $mail, 0, strpos( $mail, '@' ) );
 			 $ldap_object['uid'] = $ldap_object['mail'] = $newmail;
 			 if (!ldap_modify($ldap->connection, $dn, $ldap_object)) {
 			   $errors[] = sprintf(_("LDAP Error: Could not modify object %s: %s"), $dn, 
@@ -708,7 +708,7 @@ switch( $action ) {
 			 if( $ldap->countMail( $_SESSION['base_dn'], $alias, $dn ) > 0 ) {
 			   // Ups!!!
 			   $alias = $ldap_object['alias'][$i];
-			   $newalias = md5sum( $dn.$alias ).'@'.substr( $alias, 0, strpos( $alias, '@' ) );
+			   $newalias = md5( $dn.$alias ).'@'.substr( $alias, 0, strpos( $alias, '@' ) );
 			   $ldap_object['alias'][$i] = $newalias;
 			   if (!ldap_modify($ldap->connection, $dn, $ldap_object)) {
 				 $errors[] = sprintf(_("LDAP Error: Could not modify object %s: %s"), $dn,
author	Gunnar Wrobel <wrobel@pardus.de>	2010-01-11 09:30:11 (GMT)
committer	Gunnar Wrobel <wrobel@pardus.de>	2010-01-11 09:30:11 (GMT)
commit	d90a77e0495d85fb95747859646624cf78108985 (patch)
tree	f8629d2d47db18f07543f1b95c9bf007e3141aa8 /www
parent	1bec83373c38efe400a1a56c0e6c334f753f99d9 (diff)
download	kolab-webadmin-d90a77e0495d85fb95747859646624cf78108985.tar.gz