Contrib.social

Incorrect escaping filter query when logging in

Open on Drupal.org β†’
Created on 16 August 2022, almost 2 years ago
Updated 2 March 2024, 4 months ago

Problem/Motivation

When logging in with the LDAP module through a connection to an AD server, the LDAP module does various things, one of them is to get a list of groups that a user is member of using the memberOf attribute. From what I can tell, this works by getting the group names (DN) and then constructing a LDAP query (not sure what the purpose of the LDAP query is exactly).

This query can be complicated and uses a lot of (), but currently it has a flaw - if the DN of a group contains ( or ) or both, then the query will blow up resulting in a LDAP error as the group name is not escaped with the purpose of being used in a filter.

Steps to reproduce

1. Create a user in an AD server and configure the setup to make it possible to login with the user
2. Create a group with () in it, example could be "Users (external)".
3. Add the group to the user in AD
4. Try login (will not fail)

Proposed resolution

We should change the way we filter group names when used in a LDAP filter query.

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Fixed

Version

4.0

Component

Code

Created by

πŸ‡©πŸ‡°Denmark googletorp

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024