From d5e2fc207a348bb9da54612f90982098357e9ea5 Mon Sep 17 00:00:00 2001 From: Mauno Erhardt Date: Tue, 9 Jul 2024 14:23:24 +0200 Subject: [PATCH] Escape all user- or ldap-provided strings in search queries to prevent malformed LDAP filters --- ldapauthenticator/ldapauthenticator.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py index e634bea..8c91523 100644 --- a/ldapauthenticator/ldapauthenticator.py +++ b/ldapauthenticator/ldapauthenticator.py @@ -239,7 +239,7 @@ def resolve_username(self, username_supplied_by_user): return (None, None) search_filter = self.lookup_dn_search_filter.format( - login_attr=self.user_attribute, login=username_supplied_by_user + login_attr=self.user_attribute, login=escape_filter_chars(username_supplied_by_user) ) msg = "\n".join( [ @@ -396,7 +396,7 @@ def authenticate(self, handler, data): if self.search_filter: search_filter = self.search_filter.format( - userattr=self.user_attribute, username=username + userattr=self.user_attribute, username=escape_filter_chars(username) ) conn.search( search_base=self.user_search_base, @@ -434,7 +434,10 @@ def authenticate(self, handler, data): "(memberUid={uid})" ")" ) - group_filter = group_filter.format(userdn=userdn, uid=username) + group_filter = group_filter.format( + userdn=escape_filter_chars(userdn), + uid=escape_filter_chars(username) + ) group_attributes = ["member", "uniqueMember", "memberUid"] found = conn.search( group,