From 60f34c09eb7b2e1fb9faf3c5f04451358978cdfa Mon Sep 17 00:00:00 2001 From: Philipp Matthias Schaefer Date: Sat, 6 Mar 2021 12:55:04 +0100 Subject: [PATCH] fix(api): escape externally provided username This closes an LDAP injection vulnerability. --- src/api.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/api.rs b/src/api.rs index 1f72074..d9c7148 100644 --- a/src/api.rs +++ b/src/api.rs @@ -15,7 +15,7 @@ // You should have received a copy of the GNU General Affero Public License // along with the WebLDAPPasswd. If not, see . use handlebars::Handlebars; -use ldap3::LdapConn; +use ldap3::{ldap_escape, LdapConn}; use ldap3::exop::PasswordModify; use ldap3::result::{LdapError, Result}; use rocket_contrib::json::Json; @@ -49,7 +49,8 @@ fn change_password(data: &Json, context: &rocket::State) -> Result<()> { let dn = Handlebars::new() - .render_template(&context.dn, &json!({"username" : &data.username})) + .render_template(&context.dn, + &json!({"username" : ldap_escape(&data.username)})) .expect("Unexpected DN template error. Was tested in config.rs"); let mut ldap = LdapConn::new(&context.ldap_url)?;