Escape the user before using it in any search filter

grrttedwards · grrttedwards · commit af901c897b9e · 2023-05-24T16:03:14.000-04:00
nginxinc/nginx-ldap-auth@c0a43f4
diff --git a/root/app/nginx-ldap-auth-daemon.py b/root/app/nginx-ldap-auth-daemon.py
@@ -5,7 +5,7 @@
 # Copyright (C) 2014-2015 Nginx, Inc.
 # Copyright (C) 2018 LinuxServer.io
 
-import sys, os, signal, base64, ldap, argparse
+import sys, os, signal, base64, ldap, ldap.filter, argparse
 if sys.version_info.major == 2:
     from Cookie import BaseCookie
     from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
@@ -101,7 +101,7 @@ def do_GET(self):
             self.log_error(e)
             return True
 
-        ctx['user'] = user
+        ctx['user'] = ldap.filter.escape_filter_chars(user)
         ctx['pass'] = passwd
 
         # Continue request processing
