deblan-mirror/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-06-11 21:02:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential ldap injection

Browse source 
Signed-off-by: Felix Eckhofer <felix@eckhofer.com>
This commit is contained in:
Felix Eckhofer 2023-02-25 20:27:52 +01:00 committed by Nicola Murino
parent e0cbb966f0
commit 71f691b208
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/ldapauth/main.go
View file

@ -97,7 +97,7 @@ func main() {
// search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration
log.Printf("username=%s\n", username)
searchFilter := fmt.Sprintf("(uid=%s)", username)
searchFilter := fmt.Sprintf("(uid=%s)", ldap.EscapeFilter(username))
searchRequest := ldap.NewSearchRequest(
"ou=people," + rootDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,

2
examples/ldapauthserver/httpd/ldapauth.go
View file

@ -78,7 +78,7 @@ func checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {
searchRequest := ldap.NewSearchRequest(
ldapConfig.BaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
strings.Replace(ldapConfig.SearchFilter, "%s", authReq.Username, 1),
strings.Replace(ldapConfig.SearchFilter, "%s", ldap.EscapeFilter(authReq.Username), 1),
ldapConfig.SearchBaseAttrs,
nil,
)