mirror of
https://github.com/whippyshou/mastodon
synced 2024-11-24 07:06:28 +09:00
Fix unescaped user input in LDAP query (#24379)
This commit is contained in:
parent
fa98363a27
commit
0e919397db
@ -6,7 +6,7 @@ module LdapAuthenticable
|
||||
class_methods do
|
||||
def authenticate_with_ldap(params = {})
|
||||
ldap = Net::LDAP.new(ldap_options)
|
||||
filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
|
||||
filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: Net::LDAP::Filter.escape(params[:email]))
|
||||
|
||||
if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
|
||||
ldap_get_user(user_info.first)
|
||||
|
Loading…
Reference in New Issue
Block a user