beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix potential ldap injection

Browse source 
Signed-off-by: Felix Eckhofer <felix@eckhofer.com>
This commit is contained in:
Felix Eckhofer 2023-02-25 20:27:52 +01:00 committed by Nicola Murino
parent e0cbb966f0
commit 71f691b208
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/ldapauth/main.go
View file

@ -97,7 +97,7 @@ func main() {
// search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration // search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration
log.Printf("username=%s\n", username) log.Printf("username=%s\n", username)
searchFilter := fmt.Sprintf("(uid=%s)", username) searchFilter := fmt.Sprintf("(uid=%s)", ldap.EscapeFilter(username))
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
"ou=people," + rootDN, "ou=people," + rootDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,

2
examples/ldapauthserver/httpd/ldapauth.go
View file

@ -78,7 +78,7 @@ func checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
ldapConfig.BaseDN, ldapConfig.BaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
strings.Replace(ldapConfig.SearchFilter, "%s", authReq.Username, 1), strings.Replace(ldapConfig.SearchFilter, "%s", ldap.EscapeFilter(authReq.Username), 1),
ldapConfig.SearchBaseAttrs, ldapConfig.SearchBaseAttrs,
nil, nil,
) )