From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Wed, 18 Dec 2024 08:51:45 +0000 (+0200)
Subject: auth: ldap - Fail clearly if filter string is empty
X-Git-Tag: 2.4.0~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6db0bc16aab66a6967d64ffda35e6fa8b50c62ec;p=thirdparty%2Fdovecot%2Fcore.git

auth: ldap - Fail clearly if filter string is empty
---

diff --git a/src/auth/db-ldap-settings.c b/src/auth/db-ldap-settings.c
index e7fe979c4f..1a0e22ac90 100644
--- a/src/auth/db-ldap-settings.c
+++ b/src/auth/db-ldap-settings.c
@@ -198,12 +198,34 @@ int ldap_setting_post_check(const struct ldap_settings *set, const char **error_
 	return 0;
 }
 
-int ldap_pre_settings_post_check(const struct ldap_pre_settings *set, const char **error_r)
+int ldap_pre_settings_post_check(const struct ldap_pre_settings *set,
+				 enum db_ldap_lookup_type type,
+				 const char **error_r)
 {
 	if (*set->ldap_base == '\0') {
 		*error_r = "No ldap_base given";
 		return -1;
 	}
+	switch (type) {
+	case DB_LDAP_LOOKUP_TYPE_PASSDB:
+		if (set->passdb_ldap_filter[0] == '\0') {
+			*error_r = "No passdb_ldap_filter given";
+			return -1;
+		}
+		break;
+	case DB_LDAP_LOOKUP_TYPE_USERDB:
+		if (set->userdb_ldap_filter[0] == '\0') {
+			*error_r = "No userdb_ldap_filter given";
+			return -1;
+		}
+		break;
+	case DB_LDAP_LOOKUP_TYPE_ITERATE:
+		if (set->userdb_ldap_iterate_filter[0] == '\0') {
+			*error_r = "No userdb_ldap_iterate_filter given";
+			return -1;
+		}
+		break;
+	}
 
 	return 0;
 }
diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h
index a51b35e77c..dc341dd394 100644
--- a/src/auth/db-ldap-settings.h
+++ b/src/auth/db-ldap-settings.h
@@ -1,6 +1,12 @@
 #ifndef DB_LDAP_SETTINGS_H
 #define DB_LDAP_SETTINGS_H
 
+enum db_ldap_lookup_type {
+	DB_LDAP_LOOKUP_TYPE_PASSDB,
+	DB_LDAP_LOOKUP_TYPE_USERDB,
+	DB_LDAP_LOOKUP_TYPE_ITERATE,
+};
+
 struct ldap_settings {
 	pool_t pool;
 
@@ -66,6 +72,8 @@ extern const struct setting_parser_info ldap_pre_setting_parser_info;
 extern const struct setting_parser_info ldap_post_setting_parser_info;
 
 int ldap_setting_post_check(const struct ldap_settings *set, const char **error_r);
-int ldap_pre_settings_post_check(const struct ldap_pre_settings *set, const char **error_r);
+int ldap_pre_settings_post_check(const struct ldap_pre_settings *set,
+				 enum db_ldap_lookup_type type,
+				 const char **error_r);
 
 #endif
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index 3416def067..b2a21d8571 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -375,7 +375,8 @@ ldap_verify_plain(struct auth_request *request,
 	const struct ldap_pre_settings *ldap_pre = NULL;
 	if (settings_get(event, &ldap_pre_setting_parser_info, 0,
 			 &ldap_pre, &error) < 0 ||
-	    ldap_pre_settings_post_check(ldap_pre, &error) < 0) {
+	    ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
+					 &error) < 0) {
 		e_error(event, "%s", error);
 		callback(PASSDB_RESULT_INTERNAL_FAILURE, request);
 		settings_free(ldap_pre);
@@ -413,7 +414,8 @@ static void ldap_lookup_credentials(struct auth_request *request,
 	const struct ldap_pre_settings *ldap_pre = NULL;
 	if (settings_get(event, &ldap_pre_setting_parser_info, 0,
 			 &ldap_pre, &error) < 0 ||
-	    ldap_pre_settings_post_check(ldap_pre, &error) < 0) {
+	    ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
+					 &error) < 0) {
 		e_error(event, "%s", error);
 		passdb_ldap_request_fail(ldap_request, PASSDB_RESULT_INTERNAL_FAILURE);
 		settings_free(ldap_pre);
diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c
index ece572793c..8f49eb691e 100644
--- a/src/auth/userdb-ldap.c
+++ b/src/auth/userdb-ldap.c
@@ -125,7 +125,8 @@ static void userdb_ldap_lookup(struct auth_request *auth_request,
 	const struct ldap_pre_settings *ldap_pre = NULL;
 	if (settings_get(event, &ldap_pre_setting_parser_info, 0,
 			 &ldap_pre, &error) < 0 ||
-	    ldap_pre_settings_post_check(ldap_pre, &error) < 0) {
+	    ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_USERDB,
+					 &error) < 0) {
 		e_error(event, "%s", error);
 		callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
 		settings_free(ldap_pre);
@@ -257,7 +258,8 @@ userdb_ldap_iterate_init(struct auth_request *auth_request,
 	const struct ldap_pre_settings *ldap_pre = NULL;
 	if (settings_get(event, &ldap_pre_setting_parser_info, 0,
 			 &ldap_pre, &error) < 0 ||
-	    ldap_pre_settings_post_check(ldap_pre, &error) < 0) {
+	    ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_ITERATE,
+					 &error) < 0) {
 		e_error(event, "%s", error);
 		settings_free(ldap_pre);
 		ctx->ctx.failed = TRUE;