# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 2016-11-15 22:53:41
# Node ID 8076de6f78af1a6e559eb2b944f85366525b8880
# Parent  949c843bb53547b2046bb00556c857e0ba282f1a

auth: prevent LDAP query language injection of usernames

This could cause odd LDAP queries that could fail but couldn't give access
without a valid user query and credentials. It thus had no security
implications.

diff --git a/kallithea/lib/auth_modules/auth_ldap.py b/kallithea/lib/auth_modules/auth_ldap.py
--- a/kallithea/lib/auth_modules/auth_ldap.py
+++ b/kallithea/lib/auth_modules/auth_ldap.py
@@ -41,6 +41,7 @@ log = logging.getLogger(__name__)
 
 try:
     import ldap
+    import ldap.filter
 except ImportError:
     # means that python-ldap is not installed
     ldap = None
@@ -124,8 +125,9 @@ class AuthLdap(object):
                           self.LDAP_BIND_DN)
                 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
 
-            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,
-                                        username)
+            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,
+                                        ldap.filter.escape_filter_chars(self.attr_login),
+                                        ldap.filter.escape_filter_chars(username))
             log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
                       filter_, self.LDAP_SERVER)
             lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,