Fix unescaped user input in LDAP query (#24379)

Fix CVE-2023-28853
This commit is contained in:
Claire 2023-04-03 15:47:04 +02:00
parent 448986438e
commit 05c45e9eeb

View file

@ -6,7 +6,7 @@ module LdapAuthenticable
class_methods do class_methods do
def authenticate_with_ldap(params = {}) def authenticate_with_ldap(params = {})
ldap = Net::LDAP.new(ldap_options) ldap = Net::LDAP.new(ldap_options)
filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email]) filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password])) if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
ldap_get_user(user_info.first) ldap_get_user(user_info.first)