projects / quassel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 528e63d) | patch
Fix a security issue with LDAP usernames
authorJanne Koschinski <janne@kuschku.de>
Mon, 20 May 2019 22:32:05 +0000 (00:32 +0200)
committerManuel Nickschas <sputnick@quassel-irc.org>
Tue, 12 Oct 2021 11:27:51 +0000 (13:27 +0200)
commit37f3c64d38c2316fb38675e1ecc187e6e46fb98d
treed656e85dbb4d93fba567f4ce3eaa8e418711b4dbtree | snapshot
parent528e63d2bb9988f2f4cb47b94bd627300bf240cacommit | diff
Fix a security issue with LDAP usernames

LDAP usernames are directly concatenated into the filter query,
which opens up the risk of unauthenticated LDAP injection,
potentially allowing to bypass the authentication.

To solve this, apply escaping as per RFC 4515.

Co-authored-by: Shane Synan <digitalcircuit36939@gmail.com>
Co-authored-by: Manuel Nickschas <sputnick@quassel-irc.org>
src/core/CMakeLists.txt diff | blob | history
src/core/ldapauthenticator.cpp diff | blob | history
src/core/ldapescaper.cpp [new file with mode: 0644] blob
src/core/ldapescaper.h [new file with mode: 0644] blob
tests/CMakeLists.txt diff | blob | history
tests/core/CMakeLists.txt [new file with mode: 0644] blob
tests/core/ldapescapetest.cpp [new file with mode: 0644] blob
Quassel IRC