Escapes the given VALUES according to RFC 2254 so that they can be safely used in LDAP filters.
Any control characters with an ACII code < 32 as well as the characters with special meaning in
LDAP filters "*", "(", ")", and "\" (the backslash) are converted into the representation of a
backslash followed by two hex digits representing the hexadecimal value of the character.
public static escape_filter_value ( array $values = [], $singleValue = true ) : array | ||
$values | array | Array of values to escape |
return | array | Array $values, but escaped |
/** * Add attributes from an LDAP server. * * @param array &$request The current request */ public function process(&$request) { assert('is_array($request)'); assert('array_key_exists("Attributes", $request)'); $attributes =& $request['Attributes']; $map =& $this->attribute_map; if (!isset($attributes[$map['username']])) { throw new Exception('The user\'s identity does not have an attribute called "' . $map['username'] . '"'); } // perform a merge on the ldap_search_filter // loop over the attributes and build the search and replace arrays foreach ($attributes as $attr => $val) { $arrSearch[] = '%' . $attr . '%'; if (strlen($val[0]) > 0) { $arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]); } else { $arrReplace[] = ''; } } // merge the attributes into the ldap_search_filter $filter = str_replace($arrSearch, $arrReplace, $this->search_filter); // search for matching entries $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter, (array) $this->search_attribute, TRUE, FALSE); // handle [multiple] values if (is_array($entries) && is_array($entries[0])) { $results = array(); foreach ($entries as $entry) { $entry = $entry[strtolower($this->search_attribute)]; for ($i = 0; $i < $entry['count']; $i++) { $results[] = $entry[$i]; } } $attributes[$this->new_attribute] = array_values($results); } }
/** * Add attributes from an LDAP server. * * @param array &$request The current request */ public function process(&$request) { assert('is_array($request)'); assert('array_key_exists("Attributes", $request)'); $attributes =& $request['Attributes']; // perform a merge on the ldap_search_filter // loop over the attributes and build the search and replace arrays foreach ($attributes as $attr => $val) { $arrSearch[] = '%' . $attr . '%'; if (strlen($val[0]) > 0) { $arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]); } else { $arrReplace[] = ''; } } // merge the attributes into the ldap_search_filter $filter = str_replace($arrSearch, $arrReplace, $this->search_filter); if (strpos($filter, '%') !== FALSE) { SimpleSAML_Logger::info('AttributeAddFromLDAP: There are non-existing attributes in the search filter. (' . $this->search_filter . ')'); return; } if (!in_array($this->attr_policy, array('merge', 'replace', 'add'))) { SimpleSAML_Logger::warning("AttributeAddFromLDAP: 'attribute.policy' must be one of 'merge'," . "'replace' or 'add'."); return; } // search for matching entries try { $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter, array_values($this->search_attributes), TRUE, FALSE); } catch (Exception $e) { return; // silent fail, error is still logged by LDAP search } // handle [multiple] values foreach ($entries as $entry) { foreach ($this->search_attributes as $target => $name) { if (is_numeric($target)) { $target = $name; } if (isset($attributes[$target]) && $this->attr_policy === 'replace') { unset($attributes[$target]); } $name = strtolower($name); if (isset($entry[$name])) { unset($entry[$name]['count']); if (isset($attributes[$target])) { foreach (array_values($entry[$name]) as $value) { if ($this->attr_policy === 'merge') { if (!in_array($value, $attributes[$target])) { $attributes[$target][] = $value; } } else { $attributes[$target][] = $value; } } } else { $attributes[$target] = array_values($entry[$name]); } } } } }
/** * Add attributes from an LDAP server. * * @param array &$request The current request */ public function process(&$request) { assert('is_array($request)'); assert('array_key_exists("Attributes", $request)'); $attributes =& $request['Attributes']; if (!isset($attributes[$this->config['userid_attribute']])) { throw new Exception('The user\'s identity does not have an attribute called "' . $this->config['userid_attribute'] . '"'); } // perform a merge on the ldap_search_filter // loop over the attributes and build the search and replace arrays foreach ($attributes as $attr => $val) { $arrSearch[] = '%' . $attr . '%'; if (strlen($val[0]) > 0) { $arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]); } else { $arrReplace[] = ''; } } // merge the attributes into the ldap_search_filter $merged_ldap_search_filter = str_replace($arrSearch, $arrReplace, $this->config['ldap_search_filter']); // connect to the LDAP directory $ds = ldap_connect($this->config['ldap_host'], $this->config['ldap_port']); if (!$ds) { throw new Exception('Failed to initialize LDAP connection parameters (' . ldap_error(NULL) . ')'); } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // if we're supposed to bind as a specified user if (isset($this->config['ldap_bind_user']) && $this->config['ldap_bind_user'] && (isset($this->config['ldap_bind_pwd']) && $this->config['ldap_bind_pwd'])) { // bind to the directory as the specified user if (!ldap_bind($ds, $this->config['ldap_bind_user'], $this->config['ldap_bind_pwd'])) { throw new Exception($this->config['ldap_bind_user'] . ' failed to bind against ' . $this->config['ldap_host'] . ' (' . ldap_error($ds) . ')'); } } else { // bind to the directory anonymously if (!ldap_bind($ds)) { throw new Exception('Failed to anonymously bind against ' . $this->config['ldap_host'] . ' (' . ldap_error($ds) . ')'); } } // search for matching entries $sr = ldap_search($ds, $this->config['ldap_search_base_dn'], $merged_ldap_search_filter, array($this->config['ldap_search_attribute'])); $entries = ldap_get_entries($ds, $sr); // handle [multiple] values if (is_array($entries) && is_array($entries[0])) { $entry = $entries[0][strtolower($this->config['ldap_search_attribute'])]; $results = array(); for ($i = 0; $i < $entry['count']; $i++) { $results[] = $entry[$i]; } $attributes[$this->config['new_attribute_name']] = array_values($results); } ldap_unbind($ds); }