Mercurial > kallithea

changeset 6332:8076de6f78af

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: prevent LDAP query language injection of usernames This could cause odd LDAP queries that could fail but couldn't give access without a valid user query and credentials. It thus had no security implications.
author Mads Kiilerich <madski@unity3d.com>
date Tue, 15 Nov 2016 22:53:41 +0100
parents 949c843bb535
children 73654990ba75
files kallithea/lib/auth_modules/auth_ldap.py
diffstat 1 files changed, 4 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/auth_modules/auth_ldap.py	Tue Nov 15 22:53:41 2016 +0100
+++ b/kallithea/lib/auth_modules/auth_ldap.py	Tue Nov 15 22:53:41 2016 +0100
@@ -41,6 +41,7 @@
 
 try:
     import ldap
+    import ldap.filter
 except ImportError:
     # means that python-ldap is not installed
     ldap = None
@@ -124,8 +125,9 @@
                           self.LDAP_BIND_DN)
                 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
 
-            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,
-                                        username)
+            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,
+                                        ldap.filter.escape_filter_chars(self.attr_login),
+                                        ldap.filter.escape_filter_chars(username))
             log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
                       filter_, self.LDAP_SERVER)
             lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,