kallithea Changeset - 8076de6f78af

Changeset - 8076de6f78af

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 9 years ago 2016-11-15 22:53:41
madski@unity3d.com

auth: prevent LDAP query language injection of usernames

This could cause odd LDAP queries that could fail but couldn't give access
without a valid user query and credentials. It thus had no security
implications.

1 file changed with 4 insertions and 2 deletions:

kallithea/lib/auth_modules/auth_ldap.py

0 comments (0 inline, 0 general)

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -38,12 +38,13 @@ from kallithea.lib.exceptions import ( @@
 from kallithea.model.db import User
 log = logging.getLogger(__name__)
 try:
     import ldap
     import ldap.filter
 except ImportError:
     # means that python-ldap is not installed
     ldap = None
 class AuthLdap(object):
@@ @@ -121,14 +122,15 @@ class AuthLdap(object): @@
             if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                 log.debug('Trying simple_bind with password and given DN: %s',
                           self.LDAP_BIND_DN)
                 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
             filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,
                                         username)
             filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,
                                         ldap.filter.escape_filter_chars(self.attr_login),
                                         ldap.filter.escape_filter_chars(username))
             log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
                       filter_, self.LDAP_SERVER)
             lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
                                            filter_)
             if not lobjects:

0 comments (0 inline, 0 general)