From 07aec0297354ce1a2bb273def8173ff0a524f852 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= <grosse@cosmocode.de>
Date: Thu, 12 Mar 2015 16:57:13 +0100
Subject: Escape user strings given to adLDAP

---
 lib/plugins/authad/auth.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'lib/plugins/authad')

diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php
index 321a60f24..400a5efee 100644
--- a/lib/plugins/authad/auth.php
+++ b/lib/plugins/authad/auth.php
@@ -3,6 +3,7 @@
 if(!defined('DOKU_INC')) die();
 
 require_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php');
+require_once(DOKU_PLUGIN.'authad/adLDAP/classes/adLDAPUtils.php');
 
 /**
  * Active Directory authentication backend for DokuWiki
@@ -340,19 +341,20 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin {
         if (!$filter){
             return '*';
         }
+        $adldapUtils = new adLDAPUtils($this->_adldap(null));
         $result = '*';
         if (isset($filter['name'])) {
-            $result .= ')(displayname=*' . $filter['name'] . '*';
+            $result .= ')(displayname=*' . $adldapUtils->ldapSlashes($filter['name']) . '*';
             unset($filter['name']);
         }
 
         if (isset($filter['user'])) {
-            $result .= ')(samAccountName=*' . $filter['user'] . '*';
+            $result .= ')(samAccountName=*' . $adldapUtils->ldapSlashes($filter['user']) . '*';
             unset($filter['user']);
         }
 
         if (isset($filter['mail'])) {
-            $result .= ')(mail=*' . $filter['mail'] . '*';
+            $result .= ')(mail=*' . $adldapUtils->ldapSlashes($filter['mail']) . '*';
             unset($filter['mail']);
         }
         return $result;
-- 
cgit v1.2.3