From 3cca88c7079fd23b58d0fa76d67a9634290b9586 Mon Sep 17 00:00:00 2001
From: Carsten  Rose <carsten.rose@math.uzh.ch>
Date: Thu, 23 Mar 2017 13:16:30 +0100
Subject: [PATCH] Ldap.php: Added checks for missing LDAP..._SEARCH. Do not
 throw an error if there is an empty result. HTML Entitites for typeahead will
 be escaped on client side.

---
 extension/qfq/qfq/Constants.php   |  1 +
 extension/qfq/qfq/helper/Ldap.php | 60 ++++++++++++++++++++-----------
 2 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/extension/qfq/qfq/Constants.php b/extension/qfq/qfq/Constants.php
index 6b959577c..50f7616dc 100644
--- a/extension/qfq/qfq/Constants.php
+++ b/extension/qfq/qfq/Constants.php
@@ -201,6 +201,7 @@ const ERROR_UNKNOWN_ACTION = 1502;
 const ERROR_NO_TARGET_PATH_FILE_NAME = 1503;
 
 const ERROR_LDAP_CONNECT = 1600;
+const ERROR_MISSING_TYPE_AHEAD_LDAP_SEARCH = 1601;
 
 // KeyValueParser
 const ERROR_KVP_VALUE_HAS_NO_KEY = 1900;
diff --git a/extension/qfq/qfq/helper/Ldap.php b/extension/qfq/qfq/helper/Ldap.php
index ffbf3a716..c966fd224 100644
--- a/extension/qfq/qfq/helper/Ldap.php
+++ b/extension/qfq/qfq/helper/Ldap.php
@@ -21,6 +21,7 @@ class Ldap {
      * @throws UserFormException
      */
     private function ldapConnect($ldapServer) {
+
         $ds = ldap_connect($ldapServer);  // must be a valid LDAP server!
         if (!$ds) {
             throw new UserFormException("Unable to connect to LDAP server: $ldapServer", ERROR_LDAP_CONNECT);
@@ -85,6 +86,7 @@ class Ldap {
     }
 
     /**
+     *
      * @param array $config [FE_LDAP_SERVER , FE_LDAP_BASE_DN, FE_LDAP_SEARCH, FE_TYPEAHEAD_LIMIT, FE_TYPEAHEAD_LDAP_KEY_PRINTF, FE_TYPEAHEAD_LDAP_VALUE_PRINTF]
      * @param string $searchValue value to search via $config[FE_LDAP_SEARCH]
      * @param string $mode MODE_LDAP_SINGLE | MODE_LDAP_MULTI
@@ -95,8 +97,15 @@ class Ldap {
         $arr = array();
 
         // For TypeAhead, use an optional given F_TYPEAHEAD_LDAP_SEARCH
-        if ($mode == MODE_LDAP_MULTI && $config[F_TYPEAHEAD_LDAP_SEARCH] != '') {
+        if ($mode == MODE_LDAP_MULTI) {
+            if (!isset($config[F_TYPEAHEAD_LDAP_SEARCH]) || $config[F_TYPEAHEAD_LDAP_SEARCH] == '') {
+                throw new UserFormException("Missing definition for `" . F_TYPEAHEAD_LDAP_SEARCH . "`", ERROR_MISSING_TYPE_AHEAD_LDAP_SEARCH);
+            }
             $config[F_LDAP_SEARCH] = $config[F_TYPEAHEAD_LDAP_SEARCH];
+        } else {
+            if (!isset($config[F_LDAP_SEARCH]) || $config[F_LDAP_SEARCH] == '') {
+                throw new UserFormException("Missing definition for `" . F_LDAP_SEARCH . "`", ERROR_MISSING_TYPE_AHEAD_LDAP_SEARCH);
+            }
         }
 
         $searchValue = Support::ldap_escape($searchValue, null, LDAP_ESCAPE_FILTER);
@@ -115,30 +124,33 @@ class Ldap {
                     array_merge($keyArr, $valueArr, $specificArr))));
 
         $sr = $this->ldapSearch($ds, $config, $attr);
-        $info = ldap_get_entries($ds, $sr);
+        if ($sr !== false) {
+            $info = ldap_get_entries($ds, $sr);
 
-        if ($mode == MODE_LDAP_MULTI) {
+            if ($mode == MODE_LDAP_MULTI) {
 
-            // Iterate over all Elements, per element collect all needed attributes
-            for ($i = 0; $i < $info["count"]; $i++) {
+                // Iterate over all Elements, per element collect all needed attributes
+                for ($i = 0; $i < $info["count"]; $i++) {
 
-                $key = $this->printfResult($keyFormat, $keyArr, $info[$i]);
-                $value = $this->printfResult($valueFormat, $valueArr, $info[$i]);
+                    // HTML Entities will be escaped on Client side.
+                    $key = $this->printfResult($keyFormat, $keyArr, $info[$i], false);
+                    $value = $this->printfResult($valueFormat, $valueArr, $info[$i], false);
 
-                if ($key == '' || $value == '') {
-                    continue; // if $key or $value is empty: skip
-                }
+                    if ($key == '' || $value == '') {
+                        continue; // if $key or $value is empty: skip
+                    }
 
-                $arr[] = [API_TYPEAHEAD_KEY => $key, API_TYPEAHEAD_VALUE => $value];
-            }
-        } else {
-            // Collect all attributes
-            foreach ($attr as $key) {
-                $value = isset($info[0][$key][0]) ? $info[0][$key][0] : '';
-                $arr[$key] = htmlentities($value);
+                    $arr[] = [API_TYPEAHEAD_KEY => $key, API_TYPEAHEAD_VALUE => $value];
+                }
+            } else {
+                // Collect all attributes
+                foreach ($attr as $key) {
+                    $value = isset($info[0][$key][0]) ? $info[0][$key][0] : '';
+                    $arr[$key] = $value;
+                }
             }
+            ldap_close($ds);
         }
-        ldap_close($ds);
 
         return $arr;
     }
@@ -188,12 +200,20 @@ class Ldap {
      * @throws CodeException
      * @throws UserFormException
      */
-    private function printfResult($format, array $keyArr, $infoElement) {
+    private function printfResult($format, array $keyArr, $infoElement, $doHtmlEntity = true) {
 
         $args = array($format);
 
         foreach ($keyArr as $key) {
-            $args[] = (isset($infoElement[$key][0])) ? htmlentities($infoElement[$key][0]) : '';
+            $val = '';
+
+            if (isset($infoElement[$key][0])) {
+                $val = $infoElement[$key][0];
+                if ($doHtmlEntity === true) {
+                    $val = htmlentities($val);
+                }
+            }
+            $args[] = $val;
         }
 
         return call_user_func_array('sprintf', $args);
-- 
GitLab