You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2023/01/10 10:55:00 UTC
[cloudstack] branch 4.16 updated: escapes for injection prtection (#7069)
This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch 4.16
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.16 by this push:
new dffbc87278f escapes for injection prtection (#7069)
dffbc87278f is described below
commit dffbc87278fce22b5f34847a0ff79ecb4e529364
Author: dahn <da...@onecht.net>
AuthorDate: Tue Jan 10 02:54:51 2023 -0800
escapes for injection prtection (#7069)
---
.../java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index 5fe27e50d4d..07d896a2c84 100644
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -83,7 +83,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
- usernameFilter.append((username == null ? "*" : username));
+ usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
String memberOfAttribute = _ldapConfiguration.getUserMemberOfAttribute(domainId);
@@ -154,7 +154,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
groupNameFilter.append("(");
groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
groupNameFilter.append("=");
- groupNameFilter.append((groupName == null ? "*" : groupName));
+ groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)));
groupNameFilter.append(")");
final StringBuilder result = new StringBuilder();
@@ -194,7 +194,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
usernameFilter.append("(");
usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
usernameFilter.append("=");
- usernameFilter.append((username == null ? "*" : username));
+ usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
usernameFilter.append(")");
final StringBuilder memberOfFilter = new StringBuilder();