ensure that LDAP filter values are escaped

2025-10-05 07:56:17 +00:00 · 2025-09-03 19:02:17 +02:00
1 changed files with 2 additions and 2 deletions
--- a/internal/app/auth/auth_ldap.go
+++ b/internal/app/auth/auth_ldap.go
@@ -54,7 +54,7 @@ func (l LdapAuthenticator) PlaintextAuthentication(userId domain.UserIdentifier,

 	attrs := []string{"dn"}

-	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", string(userId), -1)
+	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", ldap.EscapeFilter(string(userId)), -1)
 	searchRequest := ldap.NewSearchRequest(
 		l.cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 20, false, // 20 second time limit
@@ -100,7 +100,7 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden

 	attrs := internal.LdapSearchAttributes(&l.cfg.FieldMap)

-	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", string(userId), -1)
+	loginFilter := strings.Replace(l.cfg.LoginFilter, "{{login_identifier}}", ldap.EscapeFilter(string(userId)), -1)
 	searchRequest := ldap.NewSearchRequest(
 		l.cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 20, false, // 20 second time limit