From 68484bbbde92a7b5ccb0da16d29afda31aec0370 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Fri, 18 Jan 2013 21:26:31 +0100
Subject: Be sure to escape filters and DNs.

---
 lib/Fripost/Schema/List.pm | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

(limited to 'lib/Fripost/Schema/List.pm')

diff --git a/lib/Fripost/Schema/List.pm b/lib/Fripost/Schema/List.pm
index e6605f0..58d198c 100644
--- a/lib/Fripost/Schema/List.pm
+++ b/lib/Fripost/Schema/List.pm
@@ -18,7 +18,7 @@ use utf8;
 
 use parent 'Fripost::Schema';
 use Fripost::Schema::Misc qw/concat explode must_attrs email_valid
-                             split_addr/;
+                             split_addr canonical_dn ldap_explode_dn/;
 use Net::IDN::Encode qw/domain_to_ascii
                         email_to_ascii email_to_unicode/;
 use Mail::GnuPG;
@@ -47,7 +47,7 @@ sub search {
         if (defined $options{'-is_pending'}) and !$options{'-is_pending'};
 
     my $lists = $self->ldap->search(
-                    base => "fvd=$domain,".$self->suffix,
+                    base => canonical_dn({fvd => $domain}, @{$self->suffix}),
                     scope => 'one',
                     deref => 'never',
                     filter => $filter,
@@ -85,13 +85,13 @@ sub replace {
         if defined $l->{description};
 
     eval {
-        my ($l2,$d) = split /\@/, email_to_ascii($l->{list}), 2;
+        my ($l2,$d) = split_addr( $l->{list}, -encoding => 'ascii' );
         &_is_valid($l);
         my $l3 = { fripostIsStatusActive => $l->{isactive} ? 'TRUE' : 'FALSE'
                  , description => $l->{description} };
         $l3->{fripostListManager} = $l->{transport} if defined $l->{transport};
         my $mesg = $self->ldap->modify(
-                       "fvl=$l2,fvd=$d,".$self->suffix,
+                       canonical_dn({fvl => $l2}, {fvd => $d}, @{$self->suffix}),
                        replace => $l3 );
         die $mesg->error."\n" if $mesg->code;
     };
@@ -133,8 +133,8 @@ sub add {
         $attrs{description} = $l->{description}
             if defined $l->{description} and @{$l->{description}};
 
-        my $mesg = $self->ldap->add( "fvl=$l2,fvd=$d,".$self->suffix,
-                                     attrs => [ %attrs ] );
+        my $dn = canonical_dn({fvl => $l2}, {fvd => $d}, @{$self->suffix});
+        my $mesg = $self->ldap->add( $dn, attrs => [ %attrs ] );
         if ($mesg->code) {
             die $options{'-die'}."\n" if defined $options{'-die'};
             die $mesg->error."\n";
@@ -143,11 +143,16 @@ sub add {
     return $@ if $@;
 
     # Ask the list manager to create the list now.
-    my $member = $self->whoami;
-    $member =~ s/^fvu=([^,]+),fvd=([^,]+),.*$/$1\@$2/;
+
+    my $whoami = ldap_explode_dn( $self->whoami );
+    my $member = email_valid( $whoami->[0]->{fvu} .'@'. $whoami->[1]->{fvd}
+                            , -exact => 1 );
+    my $to = email_valid( 'mklist+'.$l->{transport}.'@fripost.org'
+                        , -exact => 1 );
+
     my $mail = MIME::Entity::->build(
         From     => 'Fripost Admin Panel <AdminWebPanel@fripost.org>',
-        To       => 'mklist+'.$l->{transport}.'@fripost.org',
+        To       => $to,
         Subject  => "New ".$l->{transport}." list",
         Encoding => 'quoted-printable',
         Charset  => 'utf-8',
@@ -175,8 +180,9 @@ sub is_pending {
     my ($l,$d) = split_addr( shift, -encoding => 'ascii' );
     my %options = @_;
 
+    my $dn = canonical_dn({fvl => $l}, {fvd => $d}, @{$self->suffix});
     my $mesg = $self->ldap->search(
-                    base => "fvl=$l,fvd=$d,".$self->suffix,
+                    base => $dn,
                     scope => 'base',
                     deref => 'never',
                     filter => 'objectClass=FripostVirtualList',
@@ -209,14 +215,16 @@ sub add_commands {
 
     my $mesg;
     foreach my $cmd (@$cmds) {
-        $mesg = $self->ldap->add( "fvlc=$l-$cmd,fvl=$l,fvd=$d,".$self->suffix,
+        my $dn = canonical_dn( {fvlc => $l.'-'.$cmd}, {fvl => $l}, {fvd => $d},
+                               @{$self->suffix} );
+        $mesg = $self->ldap->add( $dn,
                        attrs => [ objectClass => 'FripostVirtualListCommand',
                                   FripostLocalAlias => $l.'-'.$cmd.'#'.$d ] );
         last if $mesg->code;
     }
 
-    $mesg = $self->ldap->modify( "fvl=$l,fvd=$d,".$self->suffix,
-                               , delete => 'fripostIsStatusPending' )
+    my $dn = canonical_dn( {fvl => $l}, {fvd => $d}, @{$self->suffix} );
+    $mesg = $self->ldap->modify( $dn, delete => 'fripostIsStatusPending' )
         unless $mesg->code;
 
     if ($mesg->code) {
@@ -238,7 +246,8 @@ sub delete {
     my ($l,$d) = split_addr( shift, -encoding => 'ascii' );
     my %options = @_;
 
-    my $mesg = $self->ldap->delete( "fvl=$l,fvd=$d,".$self->suffix );
+    my $dn = canonical_dn( {fvl => $l}, {fvd => $d}, @{$self->suffix} );
+    my $mesg = $self->ldap->delete( $dn );
     if ($mesg->code) {
         if (defined $options{'-die'}) {
             return $mesg->error unless $options{'-die'};
-- 
cgit v1.2.3