Mercurial > kallithea
changeset 6332:8076de6f78af
auth: prevent LDAP query language injection of usernames
This could cause odd LDAP queries that could fail but couldn't give access
without a valid user query and credentials. It thus had no security
implications.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Tue, 15 Nov 2016 22:53:41 +0100 |
parents | 949c843bb535 |
children | 73654990ba75 |
files | kallithea/lib/auth_modules/auth_ldap.py |
diffstat | 1 files changed, 4 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/auth_modules/auth_ldap.py Tue Nov 15 22:53:41 2016 +0100 +++ b/kallithea/lib/auth_modules/auth_ldap.py Tue Nov 15 22:53:41 2016 +0100 @@ -41,6 +41,7 @@ try: import ldap + import ldap.filter except ImportError: # means that python-ldap is not installed ldap = None @@ -124,8 +125,9 @@ self.LDAP_BIND_DN) server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) - filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, - username) + filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, + ldap.filter.escape_filter_chars(self.attr_login), + ldap.filter.escape_filter_chars(username)) log.debug("Authenticating %r filter %s at %s", self.BASE_DN, filter_, self.LDAP_SERVER) lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,