]> source.dussan.org Git - gitea.git/commitdiff
projects / gitea.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 45f1752)
EscapeFilter the group dn membership (#20200)
authorzeripath <art27@cantab.net>
Tue, 5 Jul 2022 15:59:27 +0000 (16:59 +0100)
committerGitHub <noreply@github.com>
Tue, 5 Jul 2022 15:59:27 +0000 (16:59 +0100)
The uid provided to the group filter must be properly escaped using the provided
ldap.EscapeFilter function.

Fix #20181

Signed-off-by: Andrew Thornton <art27@cantab.net>
services/auth/source/ldap/source_search.go patch | blob | history

diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 988d56005e011a6555d79a154a548a0860b70336..a97a1179d9bcd4658628f90f217fdefcb29adf73 100644 (file)
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -199,7 +199,7 @@ func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
 // List all group memberships of a user
 func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string) []string {
        var ldapGroups []string
-       groupFilter := fmt.Sprintf("(%s=%s)", source.GroupMemberUID, uid)
+       groupFilter := fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
        result, err := l.Search(ldap.NewSearchRequest(
                source.GroupDN,
                ldap.ScopeWholeSubtree,
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea