Fix unescaped user input in LDAP query (#24379)

Fix CVE-2023-28853
author: Claire <claire.github-309c@sitedethib.com> 2023-04-03 15:47:04 +0200
committer: Claire <claire.github-309c@sitedethib.com> 2023-04-04 12:38:58 +0200
commit: 55144262d054a52b76baa9d077e235e5c61fac37 (patch)
tree: 7c0f7db1abc5a549e22e14062beebcc4aea4f1e5
parent: 40438675f8ddf0a6e30af4edef63286f8026f2b5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb
index dc5abcd5acc..775df081764 100644
--- a/app/models/concerns/ldap_authenticable.rb
+++ b/app/models/concerns/ldap_authenticable.rb
@@ -6,7 +6,7 @@ module LdapAuthenticable
   class_methods do
     def authenticate_with_ldap(params = {})
       ldap   = Net::LDAP.new(ldap_options)
-      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
+      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
 
       if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
         ldap_get_user(user_info.first)
author	Claire <claire.github-309c@sitedethib.com>	2023-04-03 15:47:04 +0200
committer	Claire <claire.github-309c@sitedethib.com>	2023-04-04 12:38:58 +0200
commit	55144262d054a52b76baa9d077e235e5c61fac37 (patch)
tree	7c0f7db1abc5a549e22e14062beebcc4aea4f1e5
parent	40438675f8ddf0a6e30af4edef63286f8026f2b5 (diff)