Fix potential ldap injection

Signed-off-by: Felix Eckhofer <felix@eckhofer.com>

examples/ldapauth/main.go

@@ -97,7 +97,7 @@ func main() {
 
 	// search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration
 	log.Printf("username=%s\n", username)
-	searchFilter := fmt.Sprintf("(uid=%s)", username)
+	searchFilter := fmt.Sprintf("(uid=%s)", ldap.EscapeFilter(username))
 	searchRequest := ldap.NewSearchRequest(
 		"ou=people," + rootDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,

examples/ldapauthserver/httpd/ldapauth.go

@@ -78,7 +78,7 @@ func checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {
 	searchRequest := ldap.NewSearchRequest(
 		ldapConfig.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		strings.Replace(ldapConfig.SearchFilter, "%s", authReq.Username, 1),
+		strings.Replace(ldapConfig.SearchFilter, "%s", ldap.EscapeFilter(authReq.Username), 1),
 		ldapConfig.SearchBaseAttrs,
 		nil,
 	)