From 22cda198aedfacaa93e2666e54db963ab93825a8 Mon Sep 17 00:00:00 2001 From: Karl Date: Wed, 8 Jun 2016 06:28:16 +0100 Subject: [PATCH] Apply EscapeFilter to username to address grafana/grafana#5121 (#5279) --- pkg/login/ldap.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/login/ldap.go b/pkg/login/ldap.go index 0c817c9df0b..e02c59e1823 100644 --- a/pkg/login/ldap.go +++ b/pkg/login/ldap.go @@ -291,7 +291,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) { a.server.Attr.Name, a.server.Attr.MemberOf, }, - Filter: strings.Replace(a.server.SearchFilter, "%s", username, -1), + Filter: strings.Replace(a.server.SearchFilter, "%s", ldap.EscapeFilter(username), -1), } searchResult, err = a.conn.Search(&searchReq) @@ -324,7 +324,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) { if a.server.GroupSearchFilterUserAttribute == "" { filter_replace = getLdapAttr(a.server.Attr.Username, searchResult) } - filter := strings.Replace(a.server.GroupSearchFilter, "%s", filter_replace, -1) + filter := strings.Replace(a.server.GroupSearchFilter, "%s", ldap.EscapeFilter(filter_replace), -1) if ldapCfg.VerboseLogging { log.Info("LDAP: Searching for user's groups: %s", filter)