From 0ad5d46a4c1573ab0aba0b81b0790fc5d932a4dd Mon Sep 17 00:00:00 2001 From: genericpenguin Date: Mon, 18 Mar 2019 11:54:31 +1100 Subject: [PATCH] escape special chars when creating group filter. The LDAP search filter used for group queries needs to be escaped so that group names with special characters will not break the search filter in queries. --- app/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models.py b/app/models.py index f60f10c..24764b8 100644 --- a/app/models.py +++ b/app/models.py @@ -171,7 +171,7 @@ class User(db.Model): whether a user is allowed to enter or not """ LDAP_BASE_DN = Setting().get('ldap_base_dn') - groupSearchFilter = "(&(objectcategory=group)(member=%s))" % groupDN + groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars(groupDN) result = [groupDN] try: groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)