Fix #yogosha6411

htdocs/core/class/ldap.class.php

@@ -958,7 +958,7 @@ class Ldap
 		}
 
 		// Define filter
-		if (!empty($activefilter)) {
+		if (!empty($activefilter)) {	// Use a predefined trusted filter (defined into setup by admin).
 			if (((string) $activefilter == '1' || (string) $activefilter == 'user') && $this->filter) {
 				$filter = '('.$this->filter.')';
 			} elseif (((string) $activefilter == 'group') && $this->filtergroup ) {
@@ -966,11 +966,11 @@ class Ldap
 			} elseif (((string) $activefilter == 'member') && $this->filter) {
 				$filter = '('.$this->filtermember.')';
 			} else {
-				// If this->filter is empty, make fiter on * (all)
-				$filter = '('.$useridentifier.'=*)';
+				// If this->filter/this->filtergroup is empty, make fiter on * (all)
+				$filter = '('.ldap_escape($useridentifier, '', LDAP_ESCAPE_FILTER).'=*)';
 			}
-		} else {
-			$filter = '('.$useridentifier.'='.$search.')';
+		} else {						// Use a filter forged using the $search value
+			$filter = '('.ldap_escape($useridentifier, '', LDAP_ESCAPE_FILTER).'='.ldap_escape($search, '', LDAP_ESCAPE_FILTER).')';
 		}
 
 		if (is_array($attributeArray)) {