Merge pull request #3872 from stonezdj/ldap_security

Call EscapeFilter for filter  to avoid security issue
This commit is contained in:
Daniel Jiang 2017-12-26 17:04:20 +08:00 committed by GitHub
commit 923a1457e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 8 deletions

View File

@ -353,7 +353,7 @@ func (session *Session) createUserFilter(username string) string {
if username == "" {
filterTag = "*"
} else {
filterTag = username
filterTag = goldap.EscapeFilter(username)
}
ldapFilter := session.ldapConfig.LdapFilter

View File

@ -28,8 +28,6 @@ import (
// Auth implements AuthenticateHelper interface to authenticate against LDAP
type Auth struct{}
const metaChars = "&|!=~*<>()"
// Authenticate checks user's credential against LDAP based on basedn template and LDAP URL,
// if the check is successful a dummy record will be inserted into DB, such that this user can
// be associated to other entities in the system.
@ -40,11 +38,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
log.Debugf("LDAP authentication failed for empty user id.")
return nil, nil
}
for _, c := range metaChars {
if strings.ContainsRune(p, c) {
return nil, fmt.Errorf("the principal contains meta char: %q", c)
}
}
ldapSession, err := ldapUtils.LoadSystemLdapConfig()