request #24149: Indirect LDAP injection via the ldap_id attribute of a user

A taint annotation has been added to hightlight the issue. A more global
work on this topic will be done in independant contributions.

Change-Id: I969d0ba6d2ff85b418bcaf728f49afc78dd49571

Author: LeSuisse

plugins/ldap/include/LDAP_DirectorySynchronization.class.php

@@ -76,7 +76,7 @@ public function syncAll()
 
     public function ldapSync($row, $users_are_suspendable = true)
     {
-        $ldap_query = $this->ldap->getLDAPParam('eduid') . '=' . $row['ldap_id'];
+        $ldap_query = $this->ldap->getLDAPParam('eduid') . '=' . ldap_escape($row['ldap_id'], '', LDAP_ESCAPE_FILTER);
         $userSync   = $this->getLdapUserSync();
         $attributes = $userSync->getSyncAttributes($this->ldap);
 

src/common/DB/Compat/Legacy2018/LegacyDataAccessInterface.php

@@ -177,6 +177,7 @@ public function fetch($result);
      * @param type $result
      *
      * @return type
+     * @psalm-taint-source ldap
      */
     public function fetchArray($result);