[PATCH 05/24] auth: passdb/userdb ldap - Fix escaping ldap filter, base and bind_userdn

author Timo Sirainen <timo.sirainen@open-xchange.com>

Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)

committer Noah Meyerhans <noahm@debian.org>

Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)
committer Noah Meyerhans <noahm@debian.org>
Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c

index 34ebc005035b99f9f4f14eaffc52e50a345f26d5..7bec50c803cf478e9a847a41416fad6455b0ac1b 100644 (file)
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -376,9 +376,12 @@ ldap_verify_plain(struct auth_request *request,
                 return;
         }
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -414,10 +417,13 @@ static void ldap_lookup_credentials(struct auth_request *request,
         auth_request_ref(request);
         ldap_request->request.ldap.auth_request = request;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const char *error;
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -446,8 +452,13 @@ static int passdb_ldap_preinit(pool_t pool, struct event *event,
         if (settings_get(event, &auth_passdb_post_setting_parser_info,
                          RAW_SETTINGS, &auth_post, error_r) < 0)
                 goto failed;
-       if (settings_get(event, &ldap_pre_setting_parser_info,
-                        RAW_SETTINGS, &ldap_pre, error_r) < 0)
+
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+               .flags = RAW_SETTINGS,
+       };
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, error_r) < 0)
                 goto failed;
  
         module = p_new(pool, struct ldap_passdb_module, 1);
diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c

index 664e95ad872aedd63a4e211abc4910bc73c6ff2d..18968c1b75dd983386e26c9fc807fdf18d578576 100644 (file)
--- a/src/auth/userdb-ldap.c
+++ b/src/auth/userdb-ldap.c
@@ -122,9 +122,12 @@ static void userdb_ldap_lookup(struct auth_request *auth_request,
         struct userdb_ldap_request *request;
         const char *error;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_USERDB,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -258,9 +261,12 @@ userdb_ldap_iterate_init(struct auth_request *auth_request,
         request = &ctx->request;
         request->ctx = ctx;
  
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+       };
         const struct ldap_pre_settings *ldap_pre = NULL;
-       if (settings_get(event, &ldap_pre_setting_parser_info, 0,
-                        &ldap_pre, &error) < 0 ||
+       if (settings_get_params(event, &ldap_pre_setting_parser_info, &params,
+                               &ldap_pre, &error) < 0 ||
             ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_ITERATE,
                                          &error) < 0) {
                 e_error(event, "%s", error);
@@ -331,8 +337,13 @@ static int userdb_ldap_preinit(pool_t pool, struct event *event,
         if (settings_get(event, &ldap_post_setting_parser_info,
                          RAW_SETTINGS, &ldap_post, error_r) < 0)
                 goto failed;
-       if (settings_get(event, &ldap_pre_setting_parser_info,
-                        RAW_SETTINGS, &ldap_pre, error_r) < 0)
+
+       const struct settings_get_params params = {
+               .escape_func = ldap_escape,
+               .flags = RAW_SETTINGS,
+       };
+       if (settings_get_params(event, &ldap_pre_setting_parser_info,
+                               &params, &ldap_pre, error_r) < 0)
                 goto failed;
  
         module = p_new(pool, struct ldap_userdb_module, 1);
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Fri, 20 Feb 2026 16:37:38 +0000 (18:37 +0200)
committer	Noah Meyerhans <noahm@debian.org>
	Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)
src/auth/passdb-ldap.c		patch \| blob \| history
src/auth/userdb-ldap.c		patch \| blob \| history