Escape special characters in the LDAP query string.

2020-08-02 16:05:54 +03:00
parent 9fba20475b
commit 08db73e55b
1 changed files with 16 additions and 1 deletions
--- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
@@ -54,6 +54,8 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid

    private transient final Logger log = LoggerFactory.getLogger(LdapAuthProvider.class);

+    public static final char[] CHARACTERS_TO_ESCAPE = ",#+<>;\"=*\\\\".toCharArray();
+
    private PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();

    public LdapAuthProvider(LdapConfig cfg, MatrixConfig mxCfg) {
@@ -94,7 +96,8 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid
                return BackendAuthResult.failure();
            }

-            String userFilter = "(" + getUidAtt() + "=" + userFilterValue + ")";
+            String filteredValue = escape(userFilterValue);
+            String userFilter = "(" + getUidAtt() + "=" + filteredValue + ")";
            userFilter = buildWithFilter(userFilter, getCfg().getAuth().getFilter());

            Set<String> attributes = new HashSet<>();
@@ -167,4 +170,16 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid
        }
    }

+    private String escape(String raw) {
+        StringBuilder sb = new StringBuilder();
+        boolean escape;
+        for (char c : raw.toCharArray()) {
+            escape = false;
+            for (int i = 0; i < CHARACTERS_TO_ESCAPE.length && !escape; i++) {
+                escape = CHARACTERS_TO_ESCAPE[i] == c;
+            }
+            sb.append(escape ? "\\" + c : c);
+        }
+        return sb.toString();
+    }
 }