Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F97247518
ldapsprintf.php
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Fri, Jan 3, 18:50
Size
1 KB
Mime Type
text/x-php
Expires
Sun, Jan 5, 18:50 (2 d)
Engine
blob
Format
Raw Data
Handle
23364024
Attached To
rPHU libphutil
ldapsprintf.php
View Options
<?php
/**
* Format an LDAP string. This function behaves like `sprintf`, except that all
* the normal conversions (like "%s") will be properly escaped, and additional
* conversions are supported:
*
* %S (Search Filter)
* Escapes text for use in a search filter.
*
* %Q (Raw Query)
* Inserts raw, unescaped text. DANGEROUS!
*
*/
function
ldap_sprintf
(
$pattern
/* , ... */
)
{
$args
=
func_get_args
();
return
xsprintf
(
'xsprintf_ldap'
,
null
,
$args
);
}
/**
* @{function:ldap_sprintf} callback for LDAP encoding.
*/
function
xsprintf_ldap
(
$userdata
,
&
$pattern
,
&
$pos
,
&
$value
,
&
$length
)
{
$type
=
$pattern
[
$pos
];
// https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
switch
(
$type
)
{
case
'S'
:
$value
=
str_replace
(
array
(
'
\\
'
,
'*'
,
'('
,
')'
,
"
\0
"
),
array
(
'
\\
5c'
,
'
\\
2a'
,
'
\\
28'
,
'
\\
29'
,
'
\\
00'
),
$value
);
$type
=
's'
;
break
;
case
's'
:
$value
=
addcslashes
(
$value
,
',
\\
#+<>;"= '
);
$type
=
's'
;
break
;
case
'Q'
:
$type
=
's'
;
break
;
}
$pattern
[
$pos
]
=
$type
;
}
Event Timeline
Log In to Comment