You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@shiro.apache.org by lh...@apache.org on 2009/12/07 17:28:02 UTC

svn commit: r887987 - /incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java

Author: lhazlewood
Date: Mon Dec  7 16:28:00 2009
New Revision: 887987

URL: http://svn.apache.org/viewvc?rev=887987&view=rev
Log:
SHIRO-115 - applied suggested code to prevent code injection

Modified:
    incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java

Modified: incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java?rev=887987&r1=887986&r2=887987&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java (original)
+++ incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java Mon Dec  7 16:28:00 2009
@@ -169,9 +169,11 @@
             userPrincipalName += principalSuffix;
         }
 
-        String searchFilter = "(&(objectClass=*)(userPrincipalName=" + userPrincipalName + "))";
+        //SHIRO-115 - prevent potential code injection:
+        String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
+        Object[] searchArguments = new Object[]{userPrincipalName};
 
-        NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
+        NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments, searchCtls);
 
         while (answer.hasMoreElements()) {
             SearchResult sr = (SearchResult) answer.next();