- Escape LDAP filter and DN values properly, to prevent security problems

1 files changed, 43 insertions, 2 deletions

diff --git a/daemon/ldap.c b/daemon/ldap.c
index 1e03c32..9fda424 100644
--- a/daemon/ldap.c
+++ b/daemon/ldap.c
@@ -230,12 +230,53 @@ static int add_cached_basic(ldap_context_t* ctx, unsigned char* key)
   return HA_OK;
 }
 
+#define LDAP_NO_ESCAPE "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-_"
+#define LDAP_HEX "0123456789abcdef"
+
+static const char* escape_ldap(ha_buffer_t* buf, const char* str)
+{
+  const char* t = str;
+  size_t pos;
+
+  ha_bufcpy(buf, "");
+
+  while(*t)
+  {
+    pos = strspn(t, LDAP_NO_ESCAPE);
+
+    if(pos > 0)
+    {
+      ha_bufjoin(buf);
+      ha_bufncpy(buf, t, pos);
+
+      t += pos;
+    }
+
+    while(*t && !strchr(LDAP_NO_ESCAPE, t))
+    {
+      char hex[4];
+      hex[0] = '\\';
+      hex[1] = LDAP_HEX[*t >> 4 & 0xf];
+      hex[2] = LDAP_HEX[*t 0xf];
+      hex[3] = '\0';
+
+      ha_bufjoin(buf);
+      ha_bufcpy(buf, hex);
+
+      t++;
+    }
+  }
+
+  return ha_bufdata(buf);
+}
+
 static const char* substitute_params(ldap_context_t* ctx, ha_buffer_t* buf,
                                      const char* user, const char* str)
 {
   const char* t;
 
   ASSERT(ctx && buf && user && str);
+
   /* TODO: We need to be escaping the user and realm properly */
   /* This starts a new block to join */
   ha_bufcpy(buf, "");
@@ -259,13 +300,13 @@ static const char* substitute_params(ldap_context_t* ctx, ha_buffer_t* buf,
     {
     case 'u':
       ha_bufjoin(buf);
-      ha_bufcpy(buf, user);
+      escape_ldap(buf, user);
       t++;
       break;
 
     case 'r':
       ha_bufjoin(buf);
-      ha_bufcpy(buf, ctx->opts->realm);
+      escape_ldap(buf, ctx->opts->realm);
       t++;
       break;