From 75322829aec6ba7881c7a143ddea41a73b26bc97 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Mon, 4 Nov 2013 16:32:10 +0000 Subject: [PATCH] handle quotes in DN --- lam/templates/account/edit.php | 9 ++++++++- lam/templates/lists/deletelink.php | 9 +++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php index 673ec47e..5ab6f01f 100644 --- a/lam/templates/account/edit.php +++ b/lam/templates/account/edit.php @@ -66,7 +66,14 @@ if (isset($_GET['DN'])) { logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type); die(); } - if ($_GET['DN'] == $DN) $DN = str_replace("'", '',$_GET['DN']); + if ($_GET['DN'] == $DN) { + if (substr($DN, 0, 1) === "'") { + $DN = substr($DN, 1); + } + if (substr($DN, -1, 1) === "'") { + $DN = substr($DN, 0, -1); + } + } $_SESSION['account'] = new accountContainer($type, 'account'); $result = $_SESSION['account']->load_account($DN); if (sizeof($result) > 0) { diff --git a/lam/templates/lists/deletelink.php b/lam/templates/lists/deletelink.php index 505b184a..1d3974f7 100644 --- a/lam/templates/lists/deletelink.php +++ b/lam/templates/lists/deletelink.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2007 - 2010 Roland Gruber + Copyright (C) 2007 - 2013 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -52,7 +52,12 @@ if (!preg_match('/^[a-z0-9_]+$/i', $type)) { if (isset($dn) && isset($type)) { $dn = str_replace("\\", '',$dn); - $dn = str_replace("'", '',$dn); + if (substr($dn, 0, 1) === "'") { + $dn = substr($dn, 1); + } + if (substr($dn, -1, 1) === "'") { + $dn = substr($dn, 0, -1); + } $_SESSION['delete_dn'] = array($dn); // redirect to delete.php metaRefresh("../delete.php?type=" . htmlspecialchars($type));