Escape wildcards when searching LDAP by username.

757dca2b · Douwe Maan · e916f1c2 · 757dca2b · 757dca2b · 757dca2b
Commit 757dca2b authored Mar 06, 2015 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

lib/gitlab/ldap/authentication.rb lib/gitlab/ldap/authentication.rb +1 -1

lib/gitlab/ldap/person.rb lib/gitlab/ldap/person.rb +2 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -20,6 +20,7 @@ v 7.9.0 (unreleased)
  - Add brakeman (security scanner for Ruby on Rails)
  - Slack username and channel options
  - Add grouped milestones from all projects to dashboard.
+  - Escape wildcards when searching LDAP by username.

 v 7.8.1
  - Fix run of custom post receive hooks

--- a/lib/gitlab/ldap/authentication.rb
+++ b/lib/gitlab/ldap/authentication.rb
@@ -50,7 +50,7 @@ module Gitlab
      end

      def user_filter(login)
-        filter = Net::LDAP::Filter.eq(config.uid, login)
+        filter = Net::LDAP::Filter.equals(config.uid, login)

        # Apply LDAP user filter if present
        if config.user_filter.present?

--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -9,10 +9,12 @@ module Gitlab
      attr_accessor :entry, :provider

      def self.find_by_uid(uid, adapter)
+        uid = Net::LDAP::Filter.escape(uid)
        adapter.user(adapter.config.uid, uid)
      end

      def self.find_by_dn(dn, adapter)
+        dn = Net::LDAP::Filter.escape(dn)
        adapter.user('dn', dn)
      end