changed session hijack test

[contagged] / index.php

diff --git a/index.php b/index.php
index 22d5c10936c3e3fb53bc2d9b309916dc739f7be3..5241b5efcbe1cbe095887dac73c835546043b469 100644 (file)
--- a/index.php
+++ b/index.php
@@ -41,9 +41,14 @@
 
   //prepare templates
   tpl_std();
-  tpl_markers();
+  tpl_markers(); //FIXME not needed anymore!?
+  tpl_categories();
+  tpl_timezone();
+  tpl_country();
   $smarty->assign('list',$list);
   $smarty->assign('filter',$_REQUEST['filter']);
+  $smarty->assign('marker',$_REQUEST['marker']);
+  $smarty->assign('search',$_REQUEST['search']);
   //display templates
   if($_REQUEST['export'] == 'csv'){
     header("Content-Type: text/csv");
@@ -52,6 +57,8 @@
   }else{
     //save location in session
     $_SESSION[ldapab][lastlocation]=$_SERVER["REQUEST_URI"];
+
+    header('Content-Type: text/html; charset=utf-8');
     $smarty->display('header.tpl');
     $smarty->display('list_filter.tpl');
     $smarty->display('list.tpl');
@@ -78,27 +85,33 @@
   function _makeldapfilter(){
     //handle given filter
 
-    $filter = $_REQUEST['filter'];
-    $search = $_REQUEST['search'];
-    $org    = $_REQUEST['org'];
-    $marker = $_REQUEST['marker'];
-    $_SESSION[ldapab][filter] = $filter;
+    $filter = ldap_filterescape($_REQUEST['filter']);
+    $search = ldap_filterescape($_REQUEST['search']);
+    $org    = ldap_filterescape($_REQUEST['org']);
+    $marker = ldap_filterescape($_REQUEST['marker']);
+    $categories = ldap_filterescape($_REQUEST['categories']);
+    $_SESSION[ldapab][filter] = $_REQUEST['filter'];
     if(empty($filter)) $filter='a';
 
     if(!empty($marker)){
-      $marker = utf8_encode($marker);
-      $ldapfilter = "(&(objectClass=contactPerson)(marker=$marker))";
+      $ldapfilter = '(&(objectClass=contactPerson)';
+      $marker = explode(',',$marker);
+      foreach($marker as $m){
+        $m = trim($m);
+        $ldapfilter .= "(marker=$m)";
+      }
+      $ldapfilter .= ')';
+    }elseif(!empty($categories)){
+      $ldapfilter = "(&(objectClass=OXUserObject)(OXUserCategories=$categories))";
     }elseif(!empty($search)){
       $search = trim($search);
       $words=preg_split('/\s+/',$search);
       $filter='';
       foreach($words as $word){
-        $word = utf8_encode($word);
         $filter .= "(|(|(sn=*$word*)(givenName=*$word*))(o=*$word*))";
       }
       $ldapfilter = "(&(objectClass=inetOrgPerson)$filter)";
     }elseif(!empty($org)){
-      $org = utf8_encode($org);
       $ldapfilter = "(&(objectClass=inetOrgPerson)(o=$org))";
     }elseif($filter=='other'){
       $other='';
@@ -106,8 +119,9 @@
         $other .= '(!(sn='.chr($i).'*))';
       }
       $ldapfilter = "(&(objectClass=inetOrgPerson)$other)";
+    }elseif($filter=='*'){
+      $ldapfilter = "(objectClass=inetOrgPerson)";
     }else{
-      $filter = utf8_encode($filter);
       $ldapfilter = "(&(objectClass=inetOrgPerson)(sn=$filter*))";
     }
     return $ldapfilter;