From 7e331b087fbd132905a91efa6180ce03b40a7156 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Thu, 14 Dec 2017 16:23:39 +0200
Subject: community/homer-api: apply LDAP security fix

---
 community/homer-api/0001-Update-LDAP.php.patch | 27 ++++++++++++++++++++++++++
 community/homer-api/APKBUILD                   | 11 +++++++----
 2 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 community/homer-api/0001-Update-LDAP.php.patch

(limited to 'community')

diff --git a/community/homer-api/0001-Update-LDAP.php.patch b/community/homer-api/0001-Update-LDAP.php.patch
new file mode 100644
index 0000000000..a0b7e91756
--- /dev/null
+++ b/community/homer-api/0001-Update-LDAP.php.patch
@@ -0,0 +1,27 @@
+From c2771cbb452949fb5b1e921d8c051c59b024fc28 Mon Sep 17 00:00:00 2001
+From: Alexandr Dubovikov <alexandr.dubovikov@gmail.com>
+Date: Thu, 14 Dec 2017 15:16:58 +0100
+Subject: [PATCH] Update LDAP.php
+
+prevent some potentially leading to privilege escalation. Thanks go to Kaarle R.
+---
+ api/Authentication/LDAP.php | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/api/Authentication/LDAP.php b/api/Authentication/LDAP.php
+index 653af2e..f3f0c9d 100644
+--- a/api/Authentication/LDAP.php
++++ b/api/Authentication/LDAP.php
+@@ -72,8 +72,7 @@ class LDAP extends Authentication {
+                 return array();
+             }
+         }
+-
+-        $r=@ldap_search( $ds, LDAP_BASEDN, LDAP_USERNAME_ATTRIBUTE_OPEN .$param['username'].LDAP_USERNAME_ATTRIBUTE_CLOSE);
++        $r=@ldap_search( $ds, LDAP_BASEDN, LDAP_USERNAME_ATTRIBUTE_OPEN.@ldap_escape($param['username']).LDAP_USERNAME_ATTRIBUTE_CLOSE);
+         if ($r) {
+             $result = @ldap_get_entries( $ds, $r);
+ 
+-- 
+2.14.3
+
diff --git a/community/homer-api/APKBUILD b/community/homer-api/APKBUILD
index be8604756d..703983e76d 100644
--- a/community/homer-api/APKBUILD
+++ b/community/homer-api/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
 pkgname=homer-api
 pkgver=5.0.6
-pkgrel=12
+pkgrel=13
 pkgdesc="HOMER API"
 url="https://github.com/sipcapture/homer-api"
 arch="noarch"
@@ -13,8 +13,10 @@ options="!check"
 subpackages="$pkgname-doc homer-api-ldap homer-db"
 source="$pkgname-$pkgver.tar.gz::https://github.com/sipcapture/homer-api/archive/$pkgver.tar.gz
         homer_db_init
-	php7.patch
-        rotation-ini-path.patch"
+        php7.patch
+        rotation-ini-path.patch
+        0001-Update-LDAP.php.patch
+        "
 builddir="$srcdir"/$pkgname-$pkgver
 
 build() {
@@ -68,4 +70,5 @@ ldap() {
 sha512sums="620185c19bd348ba68bad3a1992b7d673d29dcfb8a0aeea437a2d31e90f0a21cf6f46a43f0041a583a14d9403e1d8574c6040da1dba397ec2d955b8aba9010d8  homer-api-5.0.6.tar.gz
 e305af57a8445b45cb1e894aa34ceea3aeedb60740a636229d470d872f9ebb835e03985faeb685180a3e2c1eae29b49c841f8cbdb4236dbf0323f905a30b0bbb  homer_db_init
 068d7b03c51aed4c144b6f8382a367016432b5f2c22e79e19da516536bf22c9bec4fbedf81130e32d6d919be746610563295513412f14c565fc917bdc0a7b004  php7.patch
-0328c4f645601be150f877a31a8c245908da9d9972bed6e1af50f2c43055c9f47376da30c666b6eaa0310637414f65906b88f9a339a1dfa14e1864c70b36fa77  rotation-ini-path.patch"
+0328c4f645601be150f877a31a8c245908da9d9972bed6e1af50f2c43055c9f47376da30c666b6eaa0310637414f65906b88f9a339a1dfa14e1864c70b36fa77  rotation-ini-path.patch
+db83978e1c1150dadddbede0ea860b8819f1c1a804b706b65f212105df80ece0096af6f5d2eb9431271fa3a1f6d0a2fe51ac4f118dc0f371009c0ff812908612  0001-Update-LDAP.php.patch"
-- 
cgit v1.2.3