projects / quassel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix a security issue with LDAP usernames
[quassel.git] / src / core / ldapauthenticator.cpp
diff --git a/src/core/ldapauthenticator.cpp b/src/core/ldapauthenticator.cpp
index 0eedc3c..ade3f42 100644 (file)
--- a/src/core/ldapauthenticator.cpp
+++ b/src/core/ldapauthenticator.cpp
@@ -28,6 +28,7 @@
 
 #include "ldapauthenticator.h"
 
+#include "ldapescaper.h"
 #include "network.h"
 #include "quassel.h"
 
@@ -241,7 +242,7 @@ bool LdapAuthenticator::ldapAuth(const QString& username, const QString& passwor
 
     LDAPMessage *msg = nullptr, *entry = nullptr;
 
-    const QByteArray ldapQuery = "(&(" + uidAttribute + '=' + username.toLocal8Bit() + ")" + _filter.toLocal8Bit() + ")";
+    const QByteArray ldapQuery = "(&(" + uidAttribute + '=' + LdapEscaper::escapeQuery(username).toLatin1() + ")" + _filter.toLocal8Bit() + ")";
 
     res = ldap_search_ext_s(_connection,
                             baseDN.constData(),
Quassel IRC