From 08db73e55bbd2a6184354dad612959b629cfd200 Mon Sep 17 00:00:00 2001 From: Anatoliy Sablin Date: Sun, 2 Aug 2020 16:05:54 +0300 Subject: [PATCH] Escape special characters in the LDAP query string. --- .../mxisd/backend/ldap/LdapAuthProvider.java | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java b/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java index 9d3d06e..53e90b6 100644 --- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java +++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java @@ -54,6 +54,8 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid private transient final Logger log = LoggerFactory.getLogger(LdapAuthProvider.class); + public static final char[] CHARACTERS_TO_ESCAPE = ",#+<>;\"=*\\\\".toCharArray(); + private PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance(); public LdapAuthProvider(LdapConfig cfg, MatrixConfig mxCfg) { @@ -94,7 +96,8 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid return BackendAuthResult.failure(); } - String userFilter = "(" + getUidAtt() + "=" + userFilterValue + ")"; + String filteredValue = escape(userFilterValue); + String userFilter = "(" + getUidAtt() + "=" + filteredValue + ")"; userFilter = buildWithFilter(userFilter, getCfg().getAuth().getFilter()); Set attributes = new HashSet<>(); @@ -167,4 +170,16 @@ public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvid } } + private String escape(String raw) { + StringBuilder sb = new StringBuilder(); + boolean escape; + for (char c : raw.toCharArray()) { + escape = false; + for (int i = 0; i < CHARACTERS_TO_ESCAPE.length && !escape; i++) { + escape = CHARACTERS_TO_ESCAPE[i] == c; + } + sb.append(escape ? "\\" + c : c); + } + return sb.toString(); + } }