diff options
author | Claire <claire.github-309c@sitedethib.com> | 2023-04-03 15:47:04 +0200 |
---|---|---|
committer | Claire <claire.github-309c@sitedethib.com> | 2023-04-04 12:39:56 +0200 |
commit | 05c45e9eebf97ec5412f39d7b9e2a8a7c49d2d41 (patch) | |
tree | ef42f90237bcc768cc5e8811e59d627592918bff | |
parent | 448986438ebbe3fa8062487cccbfe57a469ba7d9 (diff) |
Fix unescaped user input in LDAP query (#24379)
Fix CVE-2023-28853
-rw-r--r-- | app/models/concerns/ldap_authenticable.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb index dc5abcd5acc..775df081764 100644 --- a/app/models/concerns/ldap_authenticable.rb +++ b/app/models/concerns/ldap_authenticable.rb @@ -6,7 +6,7 @@ module LdapAuthenticable class_methods do def authenticate_with_ldap(params = {}) ldap = Net::LDAP.new(ldap_options) - filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email]) + filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email])) if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password])) ldap_get_user(user_info.first) |