From d7a59b51525a9d899d34ceaab83a0b0eb8b11c22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean=20Charles=20Del=C3=A9pine?= <delepine@u-picardie.fr>
Date: Sun, 1 Jun 2025 14:04:13 +0200
Subject: [PATCH] Do not escape wildcard in objectclass from admin config

The default objectclass filter in Horde's LDAP config is ['*'],
but this value was being escaped to '\2A', resulting in invalid filters
like (objectclass=\2A) instead of (objectclass=*). This patch disables
escaping for values coming from trusted configuration.

Values from user input are still escaped to prevent LDAP injection.
---
 lib/Horde/Ldap/Filter.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Horde/Ldap/Filter.php b/lib/Horde/Ldap/Filter.php
index a8747c5..0a2e741 100644
--- a/lib/Horde/Ldap/Filter.php
+++ b/lib/Horde/Ldap/Filter.php
@@ -288,11 +288,12 @@ public static function build(array $params, $operator = 'and')
             return self::parse($params['filter']);
         }
         if (!is_array($params['objectclass'])) {
-            return self::create('objectclass', 'equals', $params['objectclass']);
+            // Do not escape values from admin configuration (e.g., '*')
+            return self::create('objectclass', 'equals', $params['objectclass'], false);
         }
         $filters = [];
         foreach ($params['objectclass'] as $objectclass) {
-            $filters[] = self::create('objectclass', 'equals', $objectclass);
+            $filters[] = self::create('objectclass', 'equals', $objectclass, false);
         }
         if (count($filters) == 1) {
             return $filters[0];