diff --git a/htdocs/create_form.php b/htdocs/create_form.php
index 4228cc8..2ed0dd6 100644
--- a/htdocs/create_form.php
+++ b/htdocs/create_form.php
@@ -1,5 +1,5 @@
',
$ldapserver->server_id,$return_form_element,$rdn,rawurlencode($dn));
diff --git a/htdocs/help.php b/htdocs/help.php
index 8aa6af6..77d9840 100644
--- a/htdocs/help.php
+++ b/htdocs/help.php
@@ -1,5 +1,5 @@
diff --git a/htdocs/rename.php b/htdocs/rename.php
index 37f3f7f..ea1a663 100644
--- a/htdocs/rename.php
+++ b/htdocs/rename.php
@@ -1,5 +1,5 @@
$ldapserver->server_id,'old_dn'=>$dn,'new_dn'=>$new_dn_value));
+$success = run_hook('pre_rename_entry',array('server_id'=>$ldapserver->server_id,'old_dn'=>dn_escape($dn),'new_dn'=>dn_escape($new_dn_value)));
if ($success) {
$success = false;
$deleteoldrdn = $old_dn_attr == $new_dn_attr;
- $success = $ldapserver->rename($dn,$new_rdn,$container,$deleteoldrdn);
+ $success = $ldapserver->rename(dn_escape($dn),dn_escape($new_rdn),$container,$deleteoldrdn);
} else {
pla_error(_('Could not rename the entry') );
diff --git a/htdocs/template_engine.php b/htdocs/template_engine.php
index 05226f6..2f64b37 100644
--- a/htdocs/template_engine.php
+++ b/htdocs/template_engine.php
@@ -1,5 +1,5 @@
haveAuthInfo())
pla_error(_('Not enough information to login to server. Please check your configuration.'));
- $ldapserver->dnExists($dn)
+ $ldapserver->dnExists(dn_escape($dn))
or pla_error(sprintf(_('No such entry: %s'),pretty_print_dn($dn)));
$rdn = get_rdn($dn);
@@ -870,15 +870,46 @@ foreach ($template['attrs'] as $attr => $vals) {
echo '';
- } else
+ } else {
+ if (is_dn_string($val) || $ldapserver->isDNAttr($attr))
+
+ if ($ldapserver->dnExists($val)) {
+ printf('
%s ',
+ htmlspecialchars($val),$ldapserver->server_id,
+ rawurlencode($val),dn_unescape($val));
+ } else {
+ printf('
%s ',
+ htmlspecialchars($val),$ldapserver->server_id,
+ rawurlencode($val),dn_unescape($val));
+ }
+
+ elseif (is_mail_string($val))
+ printf('
%s ',
+ htmlspecialchars($val),$val);
+
+ elseif (is_url_string($val))
+ printf('
%s ',
+ htmlspecialchars($val),$val);
+
+ else
echo htmlspecialchars($val).'
';
+
+ }
}
}
if (! strcasecmp($attr,'userPassword') && isset($user_password))
printf('%s',base64_encode($user_password),_('Check password...'));
- if (preg_match("/^${attr}=/",$rdn))
+ if (preg_match("/^${attr}=/",$rdn) &&
+ !($ldapserver->isReadOnly() || $ldapserver->isAttrReadOnly($attr)))
printf('(%s)',$rename_href,_('rename'));
echo '';
@@ -1038,9 +1069,9 @@ foreach ($template['attrs'] as $attr => $vals) {
printf(' ',htmlspecialchars($val));
if ($ldapserver->isMultiLineAttr($attr,$val))
- printf('',$input_name,$input_id,htmlspecialchars($val));
+ printf('',$input_name,$input_id,htmlspecialchars(dn_unescape($val)));
else
- printf(' ',$input_name,$input_id,htmlspecialchars($val));
+ printf(' ',$input_name,$input_id,htmlspecialchars(dn_unescape($val)));
/* draw a link for popping up the entry browser if this is the type of attribute
that houses DNs. */
@@ -1071,8 +1102,12 @@ foreach ($template['attrs'] as $attr => $vals) {
$description = isset($group['description']) ? $group['description'] : null;
- if ($description)
+ if (is_array($description)) {
+ foreach ($description as $item)
+ printf(' (%s)',htmlspecialchars($item));
+ } else {
printf(' (%s)',htmlspecialchars($description));
+ }
echo '';
}
diff --git a/htdocs/tree.php b/htdocs/tree.php
index 8488954..9ed9a68 100644
--- a/htdocs/tree.php
+++ b/htdocs/tree.php
@@ -1,5 +1,5 @@
$ldapserver->server_id,'dn'=>$dn,'update_array'=>$update_array));
# Check for delete attributes (indicated by the attribute entry appearing like this: attr => ''
-foreach ($update_array as $attr => $val)
- if (! is_array($val))
+foreach ($update_array as $attr => $val) {
+ if (! is_array($val)) {
if (array_key_exists($attr,$skip_array))
unset($update_array[$attr]);
-
elseif ($val == '')
$update_array[$attr] = array();
# Skip change
- else
+ else {
+ if (is_dn_string($val) || $ldapserver->isDNAttr($attr))
+ $val=dn_escape($val);
$update_array[$attr] = $val;
-
- else
+ }
+ } else {
if (array_key_exists($attr,$skip_array))
unset($update_array[$attr]);
else
- foreach ($val as $i => $v)
+ foreach ($val as $i => $v) {
+ if (is_dn_string($v) || $ldapserver->isDNAttr($attr))
+ $v=dn_escape($v);
$update_array[$attr][$i] = $v;
+ }
+ }
+}
+run_hook ('pre_update',array('server_id'=>$ldapserver->server_id,'dn'=>$dn,'update_array'=>$update_array));
+#die();
/* Call the custom callback for each attribute modification
and verify that it should be modified.*/
diff --git a/htdocs/update_confirm.php b/htdocs/update_confirm.php
index c50b5ff..03ca4af 100644
--- a/htdocs/update_confirm.php
+++ b/htdocs/update_confirm.php
@@ -1,5 +1,5 @@
0) {
if (obfuscate_password_display(get_enc_type($old_values[$attr][$key])))
echo preg_replace('/./','*',$old_values[$attr][$key]).'
';
else
- echo nl2br(htmlspecialchars($old_values[$attr][$key])).'
';
+ echo nl2br(htmlspecialchars(dn_unescape($old_values[$attr][$key]))).'
';
}
} elseif (is_array($old_values[$attr]))
foreach ($old_values[$attr] as $v)
- echo nl2br(htmlspecialchars($v)).'
';
+ echo nl2br(htmlspecialchars(dn_unescape($v))).'
';
else
- echo nl2br(htmlspecialchars($old_values[$attr])).'
';
+ echo nl2br(htmlspecialchars(dn_unescape($old_values[$attr]))).'
';
echo '';
echo '';
@@ -172,7 +172,7 @@ if (count($update_array) > 0) {
if (obfuscate_password_display(get_enc_type($new_val[$key])))
echo preg_replace('/./','*',$new_val[$key]).'
';
else
- echo htmlspecialchars($new_val[$key]).'
';
+ echo htmlspecialchars(dn_unescape($new_val[$key])).'
';
}
}
@@ -185,7 +185,7 @@ if (count($update_array) > 0) {
$update_array[$attr] = array_values($update_array[$attr]);
} else {
- echo nl2br(htmlspecialchars($v)).'
';
+ echo nl2br(htmlspecialchars(dn_unescape($v))).'
';
}
}
}
diff --git a/lib/functions.php b/lib/functions.php
index 1d67faa..abb726b 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1,5 +1,5 @@
" / "#" / ";"
+ # Check if the RDN has special chars escape them.
+ # - only simplest cases are dealt with
+ # TODO: '=' unhandled
+ # ';' may be used instead of ',' but its use is discouraged
+ while (preg_match('/([^\\\\])[;,](\s*[^=]*\s*)([;,]|$)/',$dn)) {
+ $dn = preg_replace('/([^\\\\]),(\s*[^=]*\s*)([;,]|$)/','$1\\\\2c$2$3',$dn);
+ $dn = preg_replace('/([^\\\\]);(\s*[^=]*\s*)([;,]|$)/','$1\\\\3b$2$3',$dn);
+ }
+ $dn = preg_replace('/([^\\\\])\+/','$1\\\\2b',$dn);
+ $dn = preg_replace('/([^\\\\])"/','$1\\\\22',$dn);
+ $dn = preg_replace('/([^\\\\])#([^0-9a-f]|$)/i','$1\\\\23$2',$dn);
+ $dn = preg_replace('/([^\\\\])>/','$1\\\\3e',$dn);
+ $dn = preg_replace('/([^\\\\]) $branch) {
// pla_expode_dn returns the array with an extra count attribute, we can ignore that.
@@ -2274,8 +2301,8 @@ function shadow_date( $attrs, $attr) {
if (DEBUG_ENABLED)
debug_log('shadow_date(): Entered with (%s,%s)',1,$attrs,$attr);
- $shadowLastChange = isset($attrs['shadowLastChange']) ? $attrs['shadowLastChange'][0] : null;
- $shadowMax = isset($attrs['shadowMax']) ? $attrs['shadowMax'][0] : null;
+ $shadowLastChange = isset($attrs['shadowLastChange']) ? $attrs['shadowLastChange'] : null;
+ $shadowMax = isset($attrs['shadowMax']) ? $attrs['shadowMax'] : null;
if( 0 == strcasecmp( $attr, 'shadowLastChange' ) && $shadowLastChange)
$shadow_date = $shadowLastChange;
diff --git a/lib/server_functions.php b/lib/server_functions.php
index 49868d3..b4f60a9 100644
--- a/lib/server_functions.php
+++ b/lib/server_functions.php
@@ -1,5 +1,5 @@
|