karaf git commit: [KARAF-4892] Encode user to avoid LDAP injection

[jbonofre]

Repository: karaf
Updated Branches:
  refs/heads/master c9bae0555 -> ac07cb244


[KARAF-4892] Encode user to avoid LDAP injection


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/ac07cb24
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/ac07cb24
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/ac07cb24

Branch: refs/heads/master
Commit: ac07cb2440ceff94b3001728c1611fc471253d19
Parents: c9bae05
Author: Jean-Baptiste Onofré <jbono...@apache.org>
Authored: Mon Dec 12 13:56:36 2016 +0100
Committer: Jean-Baptiste Onofré <jbono...@apache.org>
Committed: Mon Dec 12 14:21:39 2016 +0100

----------------------------------------------------------------------
 .../jaas/modules/ldap/LDAPLoginModule.java      | 30 +++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/ac07cb24/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index 6d759e1..695b866 100644
--- 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -71,7 +71,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule 
{
             throw new LoginException(unsupportedCallbackException.getMessage() 
+ " not available to obtain information from user.");
         }
 
-        user = ((NameCallback) callbacks[0]).getName();
+        user = doRFC2254Encoding(((NameCallback) callbacks[0]).getName());
 
         char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
 
@@ -159,6 +159,34 @@ public class LDAPLoginModule extends 
AbstractKarafLoginModule {
         return true;
     }
 
+    protected String doRFC2254Encoding(String inputString) {
+        StringBuffer buf = new StringBuffer(inputString.length());
+        for (int i = 0; i < inputString.length(); i++) {
+            char c = inputString.charAt(i);
+            switch (c) {
+                case '\\':
+                    buf.append("\\5c");
+                    break;
+                case '*':
+                    buf.append("\\2a");
+                    break;
+                case '(':
+                    buf.append("\\28");
+                    break;
+                case ')':
+                    buf.append("\\29");
+                    break;
+                case '\0':
+                    buf.append("\\00");
+                    break;
+                default:
+                    buf.append(c);
+                    break;
+            }
+        }
+        return buf.toString();
+    }
+
     public boolean abort() throws LoginException {
         return true;
     }