You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2023/01/10 10:55:00 UTC

[cloudstack] branch 4.16 updated: escapes for injection prtection (#7069)

This is an automated email from the ASF dual-hosted git repository.

dahn pushed a commit to branch 4.16
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.16 by this push:
     new dffbc87278f escapes for injection prtection (#7069)
dffbc87278f is described below

commit dffbc87278fce22b5f34847a0ff79ecb4e529364
Author: dahn <da...@onecht.net>
AuthorDate: Tue Jan 10 02:54:51 2023 -0800

    escapes for injection prtection (#7069)
---
 .../java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index 5fe27e50d4d..07d896a2c84 100644
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -83,7 +83,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         String memberOfAttribute = _ldapConfiguration.getUserMemberOfAttribute(domainId);
@@ -154,7 +154,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         groupNameFilter.append("(");
         groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
         groupNameFilter.append("=");
-        groupNameFilter.append((groupName == null ? "*" : groupName));
+        groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)));
         groupNameFilter.append(")");
 
         final StringBuilder result = new StringBuilder();
@@ -194,7 +194,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         final StringBuilder memberOfFilter = new StringBuilder();