Use EscapeFilter to prevent ldap-injections

merge-requests/6/head
meskio 5 years ago
parent ccab7e2544
commit 8c1de52f9f
Signed by: meskio
GPG Key ID: 52B8F5AC97A2DA86
  1. 2
      ldap/group.go
  2. 2
      ldap/user.go

@ -15,7 +15,7 @@ func (l Ldap) InGroup(user string, group string) bool {
defer conn.Close()
searchRequest := ldap.NewSearchRequest(
fmt.Sprintf("cn=%s,ou=group,%s", group, l.DC),
fmt.Sprintf("cn=%s,ou=group,%s", ldap.EscapeFilter(group), l.DC),
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=posixGroup)(memberUid=%s))", user),
[]string{"dn"},

@ -53,7 +53,7 @@ func (l *Ldap) searchUser(user string, conn *ldap.Conn) (entry *ldap.Entry, err
searchRequest := ldap.NewSearchRequest(
"ou=people,"+l.DC,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", user),
fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", ldap.EscapeFilter(user)),
[]string{"dn"},
nil,
)

Loading…
Cancel
Save