Merge pull request #3872 from stonezdj/ldap_security

Call EscapeFilter for filter to avoid security issue
2024-10-05 16:57:49 +02:00 · 2017-12-26 17:04:20 +08:00 · 2017-12-26 17:04:20 +08:00 · 923a1457e5
commit 923a1457e5
parent 027fa72df7 9f99d0400c
2 changed files with 1 additions and 8 deletions
--- a/src/common/utils/ldap/ldap.go
+++ b/src/common/utils/ldap/ldap.go
@ -353,7 +353,7 @@ func (session *Session) createUserFilter(username string) string {
 	if username == "" {
 		filterTag = "*"
 	} else {
-		filterTag = username
+		filterTag = goldap.EscapeFilter(username)
 	}

 	ldapFilter := session.ldapConfig.LdapFilter
--- a/src/ui/auth/ldap/ldap.go
+++ b/src/ui/auth/ldap/ldap.go
@ -28,8 +28,6 @@ import (
 // Auth implements AuthenticateHelper interface to authenticate against LDAP
 type Auth struct{}

-const metaChars = "&|!=~*<>()"
-
 // Authenticate checks user's credential against LDAP based on basedn template and LDAP URL,
 // if the check is successful a dummy record will be inserted into DB, such that this user can
 // be associated to other entities in the system.
@ -40,11 +38,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
 		log.Debugf("LDAP authentication failed for empty user id.")
 		return nil, nil
 	}
-	for _, c := range metaChars {
-		if strings.ContainsRune(p, c) {
-			return nil, fmt.Errorf("the principal contains meta char: %q", c)
-		}
-	}

 	ldapSession, err := ldapUtils.LoadSystemLdapConfig()