mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-24 17:47:46 +01:00
Merge pull request #3872 from stonezdj/ldap_security
Call EscapeFilter for filter to avoid security issue
This commit is contained in:
commit
923a1457e5
@ -353,7 +353,7 @@ func (session *Session) createUserFilter(username string) string {
|
||||
if username == "" {
|
||||
filterTag = "*"
|
||||
} else {
|
||||
filterTag = username
|
||||
filterTag = goldap.EscapeFilter(username)
|
||||
}
|
||||
|
||||
ldapFilter := session.ldapConfig.LdapFilter
|
||||
|
@ -28,8 +28,6 @@ import (
|
||||
// Auth implements AuthenticateHelper interface to authenticate against LDAP
|
||||
type Auth struct{}
|
||||
|
||||
const metaChars = "&|!=~*<>()"
|
||||
|
||||
// Authenticate checks user's credential against LDAP based on basedn template and LDAP URL,
|
||||
// if the check is successful a dummy record will be inserted into DB, such that this user can
|
||||
// be associated to other entities in the system.
|
||||
@ -40,11 +38,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
|
||||
log.Debugf("LDAP authentication failed for empty user id.")
|
||||
return nil, nil
|
||||
}
|
||||
for _, c := range metaChars {
|
||||
if strings.ContainsRune(p, c) {
|
||||
return nil, fmt.Errorf("the principal contains meta char: %q", c)
|
||||
}
|
||||
}
|
||||
|
||||
ldapSession, err := ldapUtils.LoadSystemLdapConfig()
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user