8000 bug #36498 [Security/Core] fix escape for username in LdapBindAuthent… · symfony/symfony@08ded7f · GitHub
[go: up one dir, main page]

Skip to content

Commit 08ded7f

Browse files
bug #36498 [Security/Core] fix escape for username in LdapBindAuthenticationProvider.php (stoccc)
This PR was merged into the 3.4 branch. Discussion ---------- [Security/Core] fix escape for username in LdapBindAuthenticationProvider.php | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT I think that when we call `ldap_search()` as definitely it will do the `$this->ldap->query()` call, the proper filter applied should be `LdapInterface::ESCAPE_FILTER` as documented in https://www.php.net/manual/en/function.ldap-escape.php while `LdapInterface::ESCAPE_DN` should be used for `dn` only This simple change should fix, I'm sorry if I'm wrong. Commits ------- 4bda68a Update LdapBindAuthenticationProvider.php
2 parents 6642f09 + 4bda68a commit 08ded7f

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,9 +87,8 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
8787
}
8888

8989
try {
90-
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
91-
9290
if ($this->queryString) {
91+
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_FILTER);
9392
$query = str_replace('{username}', $username, $this->queryString);
9493
$result = $this->ldap->query($this->dnString, $query)->execute();
9594
if (1 !== $result->count()) {
@@ -98,6 +97,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
9897

9998
$dn = $result[0]->getDn();
10099
} else {
100+
$username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
101101
$dn = str_replace('{username}', $username, $this->dnString);
102102
}
103103

0 commit comments

Comments
 (0)
0