Escape username before LDAP search.

2017-10-17 13:31:13 +02:00 · 2017-10-17 13:31:13 +02:00 · 940f2b5a9d
parent a70a426cfd
commit 940f2b5a9d
1 changed files with 1 additions and 1 deletions
--- a/api/index.php
+++ b/api/index.php
@ -42,7 +42,7 @@ if ($config['auth_type'] == 'db') {
 	$ldap = @ldap_connect($config['ldap_uri']);
 	@ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
 	@ldap_bind($ldap, $config['ldap_bind_dn'], $config['ldap_bind_pw']);
-	$filter = str_replace('%user%', $input->user, $config['ldap_search']);
+	$filter = str_replace('%user%', @ldap_escape($input->user, null, LDAP_ESCAPE_FILTER), $config['ldap_search']);
 	$result = @ldap_search($ldap, $config['ldap_base_dn'], $filter, array('dn'));
 	$dn = @ldap_get_dn($ldap, ldap_first_entry($ldap, $result));
 	if (@ldap_bind($ldap, $dn, $input->password)) {