ldap, cleanse local username on import, closes https://github.com/opnsense/core/issues/2242

2026-03-18 02:25:05 +00:00 · 2018-03-06 10:11:50 +01:00 · 2018-03-06 10:11:50 +01:00 · 9efc29f2dc
commit 9efc29f2dc
parent cc6c5ded1f
1 changed files with 5 additions and 1 deletions
--- a/src/www/system_usermanager_import_ldap.php
+++ b/src/www/system_usermanager_import_ldap.php
@ -99,7 +99,11 @@ if ($authcfg['type'] == 'ldap') {
              foreach ($result as $ldap_user ) {
                  foreach ($_POST['user_dn'] as $userDN) {
                      if ($userDN == $ldap_user['dn'] && !in_array($ldap_user['dn'], $confDNs)) {
-                          add_local_user($ldap_user['name'] , $ldap_user['dn'], $ldap_user['fullname']);
+                          // strip domain if it exists and cleanse ldap username to make sure it is a valid one for
+                          // our system.
+                          $username = explode('@', $ldap_user['name'])[0];
+                          $username = substr(preg_replace("/[^a-zA-Z0-9\.\-_]/", "", $username),0 ,32);
+                          add_local_user($username , $ldap_user['dn'], $ldap_user['fullname']);
                          $update_count++;
                      }
                  }