Fix a security issue with LDAP usernames

[quassel.git] / src / core / ldapauthenticator.cpp

diff --git a/src/core/ldapauthenticator.cpp b/src/core/ldapauthenticator.cpp
index e7dc3c0..ade3f42 100644 (file)
--- a/src/core/ldapauthenticator.cpp
+++ b/src/core/ldapauthenticator.cpp
@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2005-2018 by the Quassel Project                        *
+ *   Copyright (C) 2005-2020 by the Quassel Project                        *
  *   devel@quassel-irc.org                                                 *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -28,6 +28,7 @@
 
 #include "ldapauthenticator.h"
 
+#include "ldapescaper.h"
 #include "network.h"
 #include "quassel.h"
 
@@ -128,7 +129,7 @@ UserId LdapAuthenticator::validateUser(const QString& username, const QString& p
     // Users created via LDAP have empty passwords, but authenticator column = LDAP.
     // On the other hand, if auth succeeds and the user already exists, do a final
     // cross-check to confirm we're using the right auth provider.
-    UserId quasselId = Core::validateUser(lUsername, QString());
+    UserId quasselId = Core::getUserId(lUsername);
     if (!quasselId.isValid()) {
         return Core::addUser(lUsername, QString(), backendId());
     }
@@ -241,7 +242,7 @@ bool LdapAuthenticator::ldapAuth(const QString& username, const QString& passwor
 
     LDAPMessage *msg = nullptr, *entry = nullptr;
 
-    const QByteArray ldapQuery = "(&(" + uidAttribute + '=' + username.toLocal8Bit() + ")" + _filter.toLocal8Bit() + ")";
+    const QByteArray ldapQuery = "(&(" + uidAttribute + '=' + LdapEscaper::escapeQuery(username).toLatin1() + ")" + _filter.toLocal8Bit() + ")";
 
     res = ldap_search_ext_s(_connection,
                             baseDN.constData(),