summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorClaire <claire.github-309c@sitedethib.com>2023-04-03 15:47:04 +0200
committerClaire <claire.github-309c@sitedethib.com>2023-04-04 12:41:27 +0200
commitb9f271364e8be91e822fc621c0d99cdd66a7acf1 (patch)
treeb0eb5bc887b5bb0d34c6e4de793fbb12d4bb767d
parent4eaa6d58b2679b27b2fb6f9a3a41101ee65db63c (diff)
Fix unescaped user input in LDAP query (#24379)
Fix CVE-2023-28853
Diffstat
-rw-r--r--app/models/concerns/ldap_authenticable.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb
index dc5abcd5acc..775df081764 100644
--- a/app/models/concerns/ldap_authenticable.rb
+++ b/app/models/concerns/ldap_authenticable.rb
@@ -6,7 +6,7 @@ module LdapAuthenticable
class_methods do
def authenticate_with_ldap(params = {})
ldap = Net::LDAP.new(ldap_options)
- filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
+ filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
ldap_get_user(user_info.first)
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 23:12:36 +0000