From f91480c7562fd810496beef530f99301480f65f7 Mon Sep 17 00:00:00 2001 From: itssherwin Date: Wed, 23 Jul 2025 23:06:17 +0330 Subject: [PATCH 1/2] fix: prevent LDAP injection by validating and escaping username input --- oauth/index.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/oauth/index.php b/oauth/index.php index 9a7e804..fb694ed 100644 --- a/oauth/index.php +++ b/oauth/index.php @@ -51,6 +51,22 @@ function messageShow($html_template, $message = 'No Msg') { $user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user'])))); $password=$_POST['password']; + // Validate username against a safe pattern (alphanumeric, dot, underscore, dash) + if (!preg_match('/^[a-zA-Z0-9._-]{1,64}$/', $user)) { + messageShow($prompt_template, 'Username contains invalid characters. Please try again.'); + exit(); + } + + // Escape LDAP special characters in username + if (!function_exists('ldap_escape')) { + function ldap_escape($value) { + return preg_replace_callback('/[\\x00-\\x1F\\x7F\\(\\)\\\\\\*\\0]/', function ($matches) { + return '\\' . str_pad(dechex(ord($matches[0])), 2, '0', STR_PAD_LEFT); + }, $value); + } + } + $user = ldap_escape($user); + // Open a LDAP connection $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version,$ldap_start_tls); From f9e862c29f4e1647e058932c77c63d26cdc44041 Mon Sep 17 00:00:00 2001 From: sherwin Date: Sat, 26 Jul 2025 11:28:07 +0330 Subject: [PATCH 2/2] Update index.php --- oauth/index.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/oauth/index.php b/oauth/index.php index fb694ed..03db224 100644 --- a/oauth/index.php +++ b/oauth/index.php @@ -51,13 +51,12 @@ function messageShow($html_template, $message = 'No Msg') { $user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user'])))); $password=$_POST['password']; - // Validate username against a safe pattern (alphanumeric, dot, underscore, dash) - if (!preg_match('/^[a-zA-Z0-9._-]{1,64}$/', $user)) { - messageShow($prompt_template, 'Username contains invalid characters. Please try again.'); + // Sherwin Ldap-escape + if (!filter_var($user, FILTER_VALIDATE_EMAIL)) { + messageShow($prompt_template, 'Username contains invalid charecters.'); exit(); } - - // Escape LDAP special characters in username + if (!function_exists('ldap_escape')) { function ldap_escape($value) { return preg_replace_callback('/[\\x00-\\x1F\\x7F\\(\\)\\\\\\*\\0]/', function ($matches) { @@ -66,6 +65,7 @@ function ldap_escape($value) { } } $user = ldap_escape($user); + // Sherwin Ldap-escape // Open a LDAP connection $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version,$ldap_start_tls);