Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 08ded7f

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #36498 [Security/Core] fix escape for username in LdapBindAuthenticationProvider.php (stoccc)
This PR was merged into the 3.4 branch. Discussion ---------- [Security/Core] fix escape for username in LdapBindAuthenticationProvider.php | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT I think that when we call `ldap_search()` as definitely it will do the `$this->ldap->query()` call, the proper filter applied should be `LdapInterface::ESCAPE_FILTER` as documented in https://www.php.net/manual/en/function.ldap-escape.php while `LdapInterface::ESCAPE_DN` should be used for `dn` only This simple change should fix, I'm sorry if I'm wrong. Commits ------- 4bda68a Update LdapBindAuthenticationProvider.php
2 parents 6642f09 + 4bda68a commit 08ded7f
Copy full SHA for 08ded7f

File tree

1 file changed

+2
-2
lines changed
Filter options

1 file changed

+2
-2
lines changed

‎src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,9 +87,8 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
8787
}
8888

8989
try {
90-
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
91-
9290
if ($this->queryString) {
91+
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_FILTER);
9392
$query = str_replace('{username}', $username, $this->queryString);
9493
$result = $this->ldap->query($this->dnString, $query)->execute();
9594
if (1 !== $result->count()) {
@@ -98,6 +97,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
9897

9998
$dn = $result[0]->getDn();
10099
} else {
100+
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
101101
$dn = str_replace('{username}', $username, $this->dnString);
102102
}
103103

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.