-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EscapeFilter the group dn membership #20200
EscapeFilter the group dn membership #20200
Conversation
The uid provided to the group filter must be properly escaped using the provided ldap.EscapeFilter function. Fix go-gitea#20181 Signed-off-by: Andrew Thornton <art27@cantab.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it the only thing that must be escaped within this function or related functions? LGTM
I believe so currently but I note we have functions like: func (source *Source) sanitizedUserQuery(username string) (string, bool) {
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00()*\\"
if strings.ContainsAny(username, badCharacters) {
log.Debug("'%s' contains invalid query characters. Aborting.", username)
return "", false
}
return fmt.Sprintf(source.Filter, username), true
} Which should just be escaping things properly instead of declaring bad characters. |
It's been confirmed that this PR solves the related issue. |
Backport go-gitea#20200 The uid provided to the group filter must be properly escaped using the provided ldap.EscapeFilter function. Fix go-gitea#20181 Signed-off-by: Andrew Thornton <art27@cantab.net>
* upstream/main: Modify milestone search keywords to be case insensitive (go-gitea#20266) Fix toolip on mobile notification bell (go-gitea#20270) Allow RSA 2047 bit keys (go-gitea#20272) Refix notification bell placement (go-gitea#20251) Bump mermaid from 9.1.1 to 9.1.2 (go-gitea#20256) EscapeFilter the group dn membership (go-gitea#20200) Only show Followers that current user can access (go-gitea#20220) Init popup for new code comment (go-gitea#20234) Bypass Firefox (iOS) bug (go-gitea#20244) Adjust max-widths for the repository file table (go-gitea#20243) Display full name (go-gitea#20171) Adjust class for mobile has the problem of double small bells (go-gitea#20236) Adjust template for go-gitea#20069 smallbell (go-gitea#20108) Add integration tests for the Gitea migration form (go-gitea#20121) Allow dev i18n to be more concurrent (go-gitea#20159) Allow enable LDAP source and disable user sync via CLI (go-gitea#20206)
The uid provided to the group filter must be properly escaped using the provided ldap.EscapeFilter function. Fix go-gitea#20181 Signed-off-by: Andrew Thornton <art27@cantab.net>
The uid provided to the group filter must be properly escaped using the provided ldap.EscapeFilter function. Fix go-gitea#20181 Signed-off-by: Andrew Thornton <art27@cantab.net>
The uid provided to the group filter must be properly escaped using the provided
ldap.EscapeFilter function.
Fix #20181
Signed-off-by: Andrew Thornton art27@cantab.net