Apply EscapeFilter to username to address grafana/grafana#5121 (#5279)

2025-02-25 18:55:37 -06:00 · 2016-06-08 06:28:16 +01:00
parent d1c06a93df
commit 22cda198ae
1 changed files with 2 additions and 2 deletions
--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -291,7 +291,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) {
 				a.server.Attr.Name,
 				a.server.Attr.MemberOf,
 			},
-			Filter: strings.Replace(a.server.SearchFilter, "%s", username, -1),
+			Filter: strings.Replace(a.server.SearchFilter, "%s", ldap.EscapeFilter(username), -1),
 		}

 		searchResult, err = a.conn.Search(&searchReq)
@@ -324,7 +324,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) {
 			if a.server.GroupSearchFilterUserAttribute == "" {
 				filter_replace = getLdapAttr(a.server.Attr.Username, searchResult)
 			}
-			filter := strings.Replace(a.server.GroupSearchFilter, "%s", filter_replace, -1)
+			filter := strings.Replace(a.server.GroupSearchFilter, "%s", ldap.EscapeFilter(filter_replace), -1)

 			if ldapCfg.VerboseLogging {
 				log.Info("LDAP: Searching for user's groups: %s", filter)