[PATCH] fix(soap): fix SQL injection in searchUser via query_operator

searchUser() validated query_operator with || instead of &&, making the
condition always true. raiseError() was also called without return, so
execution continued regardless. Combined, this allowed any authenticated
user with read_users permission to inject arbitrary SQL via the
query_operator parameter (full user table disclosure, credential
extraction via boolean blind SQLi).

Fix: change || to && and add return before raiseError().

Affected: components/ILIAS/soap/classes/class.ilSoapUserAdministration.php
Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: andreschweigert

components/ILIAS/soap/classes/class.ilSoapUserAdministration.php

@@ -684,8 +684,8 @@ public function searchUser(
             return $this->raiseError('At least one keyvalue is needed', 'Client');
         }
 
-        if (strcasecmp($query_operator, "and") !== 0 || strcasecmp($query_operator, "or") !== 0) {
-            $this->raiseError('Query operator must be either \'and\' or \'or\'', 'Client');
+        if (strcasecmp($query_operator, "and") !== 0 && strcasecmp($query_operator, "or") !== 0) {
+            return $this->raiseError('Query operator must be either \'and\' or \'or\'', 'Client');
         }
 
         $query = $this->buildSearchQuery($a_keyfields, $query_operator, $a_keyvalues);