Skip to content
Snippets Groups Projects
Unverified Commit 0e919397 authored by Claire's avatar Claire Committed by GitHub
Browse files

Fix unescaped user input in LDAP query (#24379)

parent fa98363a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/models/concerns/ldap_authenticable.rb
+ 1
1
View file @ 0e919397
......@@ -6,7 +6,7 @@ module LdapAuthenticable
class_methods do
def authenticate_with_ldap(params = {})
ldap = Net::LDAP.new(ldap_options)
filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
ldap_get_user(user_info.first)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment