diff --git a/phpBB/config.php b/phpBB/config.php
index e69de29bb2..fcfbc98bc2 100644
--- a/phpBB/config.php
+++ b/phpBB/config.php
@@ -0,0 +1,17 @@
+
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 15ec8cb4fc..9fc30afeed 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -158,6 +158,7 @@
[Fix] Fix "Always show a scrollbar for short pages" for IE8 and Firefox 3.5 (Bug #47865 - Patch by stokerpiller)
[Fix] Do not allow setting group as default group for pending user (Bug #45675 - Patch by nickvergessen)
[Fix] Fail gracefully if store folder is not writable during update. (Bugs #46615, #46945)
+ [Fix] Correct escaping/unescaping in the LDAP authentication plugin. (Bug #48175)
[Change] Change the data format of the default file ACM to be more secure from tampering and have better performance.
[Change] Add index on log_time to the log table to prevent slowdown on boards with many log entries. (Bug #44665 - Patch by bantu)
[Change] Template engine now permits to a limited extent variable includes.
diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php
index 11c62ad0bc..b70e644b14 100644
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@@ -63,9 +63,11 @@ function init_ldap()
// ldap_connect only checks whether the specified server is valid, so the connection might still fail
$search = @ldap_search(
$ldap,
- $config['ldap_base_dn'],
+ htmlspecialchars_decode($config['ldap_base_dn']),
ldap_user_filter($user->data['username']),
- (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
+ (empty($config['ldap_email'])) ?
+ array(htmlspecialchars_decode($config['ldap_uid'])) :
+ array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
0,
1
);
@@ -85,7 +87,7 @@ function init_ldap()
return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
}
- if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']]))
+ if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])]))
{
return $user->lang['LDAP_NO_EMAIL'];
}
@@ -152,7 +154,7 @@ function login_ldap(&$username, &$password)
if ($config['ldap_user'] || $config['ldap_password'])
{
- if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password'])))
+ if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password'])))
{
return $user->lang['LDAP_NO_SERVER_CONNECTION'];
}
@@ -160,9 +162,11 @@ function login_ldap(&$username, &$password)
$search = @ldap_search(
$ldap,
- $config['ldap_base_dn'],
+ htmlspecialchars_decode($config['ldap_base_dn']),
ldap_user_filter($username),
- (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']),
+ (empty($config['ldap_email'])) ?
+ array(htmlspecialchars_decode($config['ldap_uid'])) :
+ array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
0,
1
);
@@ -223,7 +227,7 @@ function login_ldap(&$username, &$password)
$ldap_user_row = array(
'username' => $username,
'user_password' => phpbb_hash($password),
- 'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '',
+ 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,
'user_ip' => $user->ip,