auth: passdb/userdb ldap - Fix escaping ldap filter, base and bind_userdn

author Timo Sirainen <timo.sirainen@open-xchange.com>

Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)

committer Rebaser <foobar@foobar>

Thu, 26 Mar 2026 08:41:12 +0000 (08:41 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)
committer Rebaser <foobar@foobar>
Thu, 26 Mar 2026 08:41:12 +0000 (08:41 +0000)
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c

index cda63231f2c40c65cd48e2528485919147b8c267..37eb44c336dc4d4292c378ee35130dd73bbe81fc 100644 (file)
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -379,9 +379,12 @@ ldap_verify_plain(struct auth_request *request,
                 return;
         }
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -417,10 +420,13 @@ static void ldap_lookup_credentials(struct auth_request *request,
         auth_request_ref(request);
         ldap_request->request.ldap.auth_request = request;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const char *error;
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -451,8 +457,13 @@ passdb_ldap_preinit(pool_t pool, struct event *event,
         if (settings_get(event, &auth_passdb_post_setting_parser_info,
                          RAW_SETTINGS, &auth_post, error_r) < 0)
                 goto failed;
-       if (settings_get(event, &ldap_pre_setting_parser_info,
-                        RAW_SETTINGS, &ldap_pre, error_r) < 0)
+
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+               .flags = RAW_SETTINGS,
+       };
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, error_r) < 0)
                 goto failed;
  
         module = p_new(pool, struct ldap_passdb_module, 1);
diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c

index fbe3ed7f4c8a52346f46fc2a3b626f4104620366..133f1217a08920d14b80f8ae53a011843aefad05 100644 (file)
--- a/src/auth/userdb-ldap.c
+++ b/src/auth/userdb-ldap.c
@@ -121,9 +121,12 @@ static void userdb_ldap_lookup(struct auth_request *auth_request,
         struct userdb_ldap_request *request;
         const char *error;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_USERDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -257,9 +260,12 @@ userdb_ldap_iterate_init(struct auth_request *auth_request,
         request = &ctx->request;
         request->ctx = ctx;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_ITERATE,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -332,8 +338,13 @@ userdb_ldap_preinit(pool_t pool, struct event *event,
         if (settings_get(event, &ldap_post_setting_parser_info,
                          RAW_SETTINGS, &ldap_post, error_r) < 0)
                 goto failed;
-       if (settings_get(event, &ldap_pre_setting_parser_info,
-                        RAW_SETTINGS, &ldap_pre, error_r) < 0)
+
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+               .flags = RAW_SETTINGS,
+       };
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, error_r) < 0)
                 goto failed;
  
         module = p_new(pool, struct ldap_userdb_module, 1);
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)
committer	Rebaser <foobar@foobar>
	Thu, 26 Mar 2026 08:41:12 +0000 (08:41 +0000)
src/auth/passdb-ldap.c		patch \| blob \| blame \| history
src/auth/userdb-ldap.c		patch \| blob \| blame \| history