Escape the LDAP search string instead of truncating it.

A few characters must be escaped in a LDAP search string. Sarg used to
truncate the user login name at the first "dubious" character found in
the string and the list of "dubious" character was much longer than
necessary. Instead of truncating the user login, this patch escape the
characters.

diff --git a/log.c b/log.c
index 41299ff4dfaeeb7ad7f5377481756d49bd7ec5f2..bfc6f43848628e3fcda61c0e664c5d4da49f6f1b 100644 (file)
--- a/log.c
+++ b/log.c
@@ -288,7 +288,7 @@ int main(int argc,char *argv[])
    LDAPBindDN[0]='\0';
    LDAPBindPW[0]='\0';
    LDAPBaseSearch[0]='\0';
-   strcpy(LDAPFilterSearch, "uid=%s");
+   strcpy(LDAPFilterSearch, "(uid=%s)");
    strcpy(LDAPTargetAttr, "cn");
 
    dia[0]='\0';

diff --git a/sarg.conf b/sarg.conf
index 0c05e41793029250ef60616aa0f3b3ef7bcd074b..0ffd6edd00fe377eab8df647e438ae22116ab92f 100644 (file)
--- a/sarg.conf
+++ b/sarg.conf
@@ -338,13 +338,13 @@
 #      default is empty line
 #LDAPBaseSearch ou=users,dc=mydomain,dc=local
 
-# TAG: LDAPFilterSearch uid=%s
+# TAG: LDAPFilterSearch (uid=%s)
 #      User search filter by user's logins in LDAP
 #      First founded record will be used
 #      %s - will be changed to userlogins from access.log file
-#       filter string can have some tags '%s'
-#      default value is 'uid=%s'
-#LDAPFilterSearch uid=%s
+#       filter string can have up to 5 '%s' tags
+#      default value is '(uid=%s)'
+#LDAPFilterSearch (uid=%s)
 
 # TAG: LDAPTargetAttr attributename
 #      Name of the attribute containing a name of the user

diff --git a/usertab.c b/usertab.c
index 9598aa1ca1657c71028ec597bf118ec81472c70e..36d84aa3ac33caaa0b369e512b83fd0916b66265 100644 (file)
--- a/usertab.c
+++ b/usertab.c
@@ -162,38 +162,46 @@ static void init_ldap_usertab(void) {
 static void get_ldap_name(const char *userlogin,char *mappedname,int namelen)
 {
    /* Start searching username in cache */
-
-   char filtersearch[256], strictchars[] = " ~!@^&(){}|<>?:;\"\'\\[]`,\r\n\0", *strictptr = strictchars, *searched_in_cache;
+   // According to rfc2254 section 4, only *()\ and NUL must be escaped. This list is rather conservative !
+   const char strictchars[] = " ~!@^&(){}|<>?:;\"\'\\[]`,\r\n\0";
+   char filtersearch[256], *searched_in_cache;
+   char searchloginname[3*MAX_USER_LEN];
    char *attr, **vals;
    LDAPMessage *result, *e;
    BerElement *ber;
+   int i;
 
-   while (*strictptr) {
-      char *foundchr;
-      if ((foundchr = strchr(userlogin, *strictptr)))
-         *foundchr = '\0';
-      strictptr++;
+   for (i=0 ; i<sizeof(searchloginname)-1 && *userlogin ; userlogin++) {
+      if (strchr(strictchars,*userlogin)) {
+         // escape character according to rfc2254 section 4
+         if (i+3>=sizeof(searchloginname)-1) break;
+         i+=sprintf(searchloginname+i,"\\%02X",*userlogin);
+      } else {
+         searchloginname[i++]=*userlogin;
+      }
    }
+   searchloginname[i]='\0';
 
-   if (!(searched_in_cache = search_in_cache(userlogin))) {
-      snprintf(filtersearch, sizeof(filtersearch), LDAPFilterSearch, userlogin, userlogin, userlogin, userlogin, userlogin);
+   if (!(searched_in_cache = search_in_cache(searchloginname))) {
+      snprintf(filtersearch, sizeof(filtersearch), LDAPFilterSearch, searchloginname, searchloginname, searchloginname, searchloginname, searchloginname);
 
       /* Search record(s) in LDAP base */
 
       int rc= ldap_search_s(ldap_handle, LDAPBaseSearch, LDAP_SCOPE_SUBTREE, filtersearch, NULL, 0, &result);
       if ( rc != LDAP_SUCCESS ) {
          debuga(_("LDAP search failed: %s\n"), ldap_err2string(rc));
-         strcpy(mappedname,userlogin);
+         strncpy(mappedname,searchloginname,namelen-1);
+         mappedname[namelen-1]='\0';
          return;
       }
 
       if (!(e = ldap_first_entry(ldap_handle, result)))
-         insert_to_cache(userlogin, userlogin);
+         insert_to_cache(searchloginname, searchloginname);
       else
          for (attr = ldap_first_attribute(ldap_handle, e, &ber); attr != NULL; attr = ldap_next_attribute(ldap_handle, e, ber)) {
             if (!strcasecmp(attr, LDAPTargetAttr)) {
                if ((vals = (char **)ldap_get_values(ldap_handle, e, attr))!=NULL) {
-                  insert_to_cache(userlogin, vals[0]);
+                  insert_to_cache(searchloginname, vals[0]);
                   strncpy(mappedname, vals[0],namelen-1);
                   mappedname[namelen-1]='\0';
                   ldap_memfree(vals);