From 7a7c301d7d0643fbb1a3a31b8ad5974013567270 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@owncloud.com>
Date: Thu, 17 May 2012 15:14:47 +0200
Subject: [PATCH] LDAP: follow user- and groupname char limitations for LDAP
 display names

WARNING: may affect existing installations if display names included unallowed characters. Allowed are only a-zA-Z0-9._-@ This fix is however needed, because names with unallowed characters may cause conflicts
---
 apps/user_ldap/lib_ldap.php | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php
index 00d81e73ef..5252f4cce7 100644
--- a/apps/user_ldap/lib_ldap.php
+++ b/apps/user_ldap/lib_ldap.php
@@ -198,6 +198,7 @@ class OC_LDAP {
 			$ldapname = self::readAttribute($dn, $nameAttribute);
 			$ldapname = $ldapname[0];
 		}
+		$ldapname = self::sanitizeUsername($ldapname);
 
 		//a new user/group! Then let's try to add it. We're shooting into the blue with the user/group name, assuming that in most cases there will not be a conflict. Otherwise an error will occur and we will continue with our second shot.
 		if(self::mapComponent($dn, $ldapname, $isUser)) {
@@ -255,16 +256,17 @@ class OC_LDAP {
 				continue;
 			}
 
-			//a new group! Then let's try to add it. We're shooting into the blue with the group name, assuming that in most cases there will not be a conflict
-			if(self::mapComponent($ldapObject['dn'], $ldapObject[$nameAttribute], $isUsers)) {
-				$ownCloudNames[] = $ldapObject[$nameAttribute];
+			//a new group! Then let's try to add it. We're shooting into the blue with the group name, assuming that in most cases there will not be a conflict. But first make sure, that the display name contains only allowed characters.
+			$ocname = self::sanitizeUsername($ldapObject[$nameAttribute]);
+			if(self::mapComponent($ldapObject['dn'], $ocname, $isUsers)) {
+				$ownCloudNames[] = $ocname;
 				continue;
 			}
 
 			//doh! There is a conflict. We need to distinguish between groups. Adding indexes is an idea, but not much of a help for the user. The DN is ugly, but for now the only reasonable way. But we transform it to a readable format and remove the first part to only give the path where this entry is located.
-			$oc_name = self::alternateOwnCloudName($ldapObject[$nameAttribute], $ldapObject['dn']);
-			if(self::mapComponent($ldapObject['dn'], $oc_name, $isUsers)) {
-				$ownCloudNames[] = $oc_name;
+			$ocname = self::alternateOwnCloudName($ocname, $ldapObject['dn']);
+			if(self::mapComponent($ldapObject['dn'], $ocname, $isUsers)) {
+				$ownCloudNames[] = $ocname;
 				continue;
 			}
 
@@ -284,7 +286,9 @@ class OC_LDAP {
 	 */
 	static private function alternateOwnCloudName($name, $dn) {
 		$ufn = ldap_dn2ufn($dn);
-		return $name . ' (' . trim(substr_replace($ufn, '', 0, strpos($ufn, ','))) . ')';
+		$name = $name . '@' . trim(substr_replace($ufn, '', 0, strpos($ufn, ',')));
+		$name = self::sanitizeUsername($name);
+		return $name;
 	}
 
 	/**
@@ -522,6 +526,16 @@ class OC_LDAP {
 		return $dn;
 	}
 
+	static private function sanitizeUsername($name) {
+		//REPLACEMENTS
+		$name = str_replace(' ', '_', $name);
+
+		//every remaining unallowed characters will be removed
+		$name = preg_replace('/[^a-zA-Z0-9_.@-]/', '', $name);
+
+		return $name;
+	}
+
 	/**
 	 * @brief combines the input filters with AND
 	 * @param $filters array, the filters to connect
-- 
GitLab