From 68484bbbde92a7b5ccb0da16d29afda31aec0370 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Fri, 18 Jan 2013 21:26:31 +0100
Subject: Be sure to escape filters and DNs.

---
 lib/Fripost/Schema/Local.pm | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'lib/Fripost/Schema/Local.pm')

diff --git a/lib/Fripost/Schema/Local.pm b/lib/Fripost/Schema/Local.pm
index e2e7a4b..d8a71ef 100644
--- a/lib/Fripost/Schema/Local.pm
+++ b/lib/Fripost/Schema/Local.pm
@@ -17,7 +17,7 @@ use warnings;
 use utf8;
 
 use parent 'Fripost::Schema';
-use Fripost::Schema::Misc qw/concat split_addr/;
+use Fripost::Schema::Misc qw/concat split_addr canonical_dn/;
 use Net::IDN::Encode qw/email_to_ascii email_to_unicode/;
 use Net::LDAP::Util 'escape_filter_value';
 
@@ -41,8 +41,9 @@ sub get {
     my $concat = $options{'-concat'};
 
     my ($l,$d) = split_addr( $loc, -encoding => 'ascii' );
+    $l = escape_filter_value($l);
     my $locals = $self->ldap->search(
-                     base => "fvd=$d,".$self->suffix,
+                     base => canonical_dn({fvd => $d}, @{$self->suffix}),
                      scope => 'one',
                      deref => 'never',
                      filter => "(|(&(objectClass=FripostVirtualUser)(fvu=$l))
@@ -109,22 +110,23 @@ attribute.
 
 sub exists {
     my $self = shift;
-    my ($l,$d) = split /\@/, email_to_ascii(shift), 2;
+    my ($l,$d) = split_addr( shift, -encoding => 'ascii' );
     my %options = @_;
 
     # We may not have read access to the list commands
     # The trick is somewhat dirty, but it's safe enough since postfix
     # delivers to users, aliases, and lists with different
     # priorities (and lists have the lowest).
-    my @cmds = qw/admin bounces confirm join leave owner request subscribe unsubscribe bounce sendkey/;
-    my @tests = ( 'fvu='.$l, 'fva='.$l, 'fvl='.$l );
+    my @cmds = qw/admin bounces confirm join leave owner request
+                  subscribe unsubscribe bounce sendkey/;
+    my @tests = ( {fvu => $l}, {fva => $l}, {fvl => $l} );
 
     foreach (@cmds) {
         # If the entry is of the form 'foo-command', we need to ensure
         # that no list 'foo' exists, otherwise the new entry would
         # override foo's command.
         if ($l =~ s/-$_$//) {
-            push @tests, 'fvl='.$l;
+            push @tests, {fvl => $l};
             last;
         }
     }
@@ -133,12 +135,13 @@ sub exists {
         # none of its commands exists.
         foreach (@cmds) {
             my $l2 = $l.'-'.$_;
-            push @tests, 'fvu='.$l2, 'fva='.$l2;
+            push @tests, {fvu => $l2}, {fva => $l2};
         }
     }
 
     foreach (@tests) {
-        my $mesg = $self->ldap->search( base => "$_,fvd=$d,".$self->suffix,
+        my $dn = canonical_dn($_, {fvd => $d}, @{$self->suffix});
+        my $mesg = $self->ldap->search( base => $dn,
                                         scope => 'base',
                                         deref => 'never',
                                         filter => 'objectClass=*'
-- 
cgit v1.2.3