You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2009/12/07 17:28:02 UTC
svn commit: r887987 -
/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
Author: lhazlewood
Date: Mon Dec 7 16:28:00 2009
New Revision: 887987
URL: http://svn.apache.org/viewvc?rev=887987&view=rev
Log:
SHIRO-115 - applied suggested code to prevent code injection
Modified:
incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
Modified: incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java?rev=887987&r1=887986&r2=887987&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java (original)
+++ incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java Mon Dec 7 16:28:00 2009
@@ -169,9 +169,11 @@
userPrincipalName += principalSuffix;
}
- String searchFilter = "(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
+ //SHIRO-115 - prevent potential code injection:
+ String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
+ Object[] searchArguments = new Object[]{userPrincipalName};
- NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
+ NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();