about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorClaire <claire.github-309c@sitedethib.com>2023-04-04 12:42:38 +0200
committerGitHub <noreply@github.com>2023-04-04 12:42:38 +0200
commit0e919397db4977182386b93d2092fdeb5dff1f16 (patch)
treec24434918f746f0d5ce567824a232b918f2a6a63 /app
parentfa98363a2789f23e110312f23bf4c00234dcd59a (diff)
Fix unescaped user input in LDAP query (#24379)
Diffstat (limited to 'app')
-rw-r--r--app/models/concerns/ldap_authenticable.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb
index dc5abcd5a..775df0817 100644
--- a/app/models/concerns/ldap_authenticable.rb
+++ b/app/models/concerns/ldap_authenticable.rb
@@ -6,7 +6,7 @@ module LdapAuthenticable
   class_methods do
     def authenticate_with_ldap(params = {})
       ldap   = Net::LDAP.new(ldap_options)
-      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
+      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
 
       if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
         ldap_get_user(user_info.first)