From 94b202fedc3a2bd94a0dbc187f26dd9b5d4373da Mon Sep 17 00:00:00 2001
From: Lukas Joergensen <lpjoergensen@gmail.com>
Date: Tue, 25 Sep 2018 01:10:41 +0200
Subject: [PATCH] fix(authentication): escape LDAP filters (#2209)

---
 api/ldap/ldap.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/api/ldap/ldap.go b/api/ldap/ldap.go
index 528a92e7f..05c9d55d7 100644
--- a/api/ldap/ldap.go
+++ b/api/ldap/ldap.go
@@ -22,11 +22,13 @@ type Service struct{}
 func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearchSettings) (string, error) {
 	var userDN string
 	found := false
+	usernameEscaped := ldap.EscapeFilter(username)
+
 	for _, searchSettings := range settings {
 		searchRequest := ldap.NewSearchRequest(
 			searchSettings.BaseDN,
 			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-			fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, username),
+			fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, usernameEscaped),
 			[]string{"dn"},
 			nil,
 		)
@@ -134,12 +136,13 @@ func (*Service) GetUserGroups(username string, settings *portainer.LDAPSettings)
 // Get a list of group names for specified user from LDAP/AD
 func getGroups(userDN string, conn *ldap.Conn, settings []portainer.LDAPGroupSearchSettings) []string {
 	groups := make([]string, 0)
+	userDNEscaped := ldap.EscapeFilter(userDN)
 
 	for _, searchSettings := range settings {
 		searchRequest := ldap.NewSearchRequest(
 			searchSettings.GroupBaseDN,
 			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-			fmt.Sprintf("(&%s(%s=%s))", searchSettings.GroupFilter, searchSettings.GroupAttribute, userDN),
+			fmt.Sprintf("(&%s(%s=%s))", searchSettings.GroupFilter, searchSettings.GroupAttribute, userDNEscaped),
 			[]string{"cn"},
 			nil,
 		)