karaf git commit: [KARAF-4892] Encode user to avoid LDAP injection

Mon, 12 Dec 2016 05:23:10 -0800 

Repository: karaf
Updated Branches:
  refs/heads/karaf-4.0.x 0e884605e -> ff5792d9b


[KARAF-4892] Encode user to avoid LDAP injection


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/ff5792d9
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/ff5792d9
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/ff5792d9

Branch: refs/heads/karaf-4.0.x
Commit: ff5792d9b19997318c487bd23edb2c5063ca88c6
Parents: 0e88460
Author: Jean-Baptiste Onofré <[email protected]>
Authored: Mon Dec 12 13:56:36 2016 +0100
Committer: Jean-Baptiste Onofré <[email protected]>
Committed: Mon Dec 12 14:22:11 2016 +0100

----------------------------------------------------------------------
 .../jaas/modules/ldap/LDAPLoginModule.java      | 30 +++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/ff5792d9/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
----------------------------------------------------------------------
diff --git 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
index 6d759e1..695b866 100644
--- 
a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
+++ 
b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java
@@ -71,7 +71,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule 
{
             throw new LoginException(unsupportedCallbackException.getMessage() 
+ " not available to obtain information from user.");
         }
 
-        user = ((NameCallback) callbacks[0]).getName();
+        user = doRFC2254Encoding(((NameCallback) callbacks[0]).getName());
 
         char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
 
@@ -159,6 +159,34 @@ public class LDAPLoginModule extends 
AbstractKarafLoginModule {
         return true;
     }
 
+    protected String doRFC2254Encoding(String inputString) {
+        StringBuffer buf = new StringBuffer(inputString.length());
+        for (int i = 0; i < inputString.length(); i++) {
+            char c = inputString.charAt(i);
+            switch (c) {
+                case '\\':
+                    buf.append("\\5c");
+                    break;
+                case '*':
+                    buf.append("\\2a");
+                    break;
+                case '(':
+                    buf.append("\\28");
+                    break;
+                case ')':
+                    buf.append("\\29");
+                    break;
+                case '\0':
+                    buf.append("\\00");
+                    break;
+                default:
+                    buf.append(c);
+                    break;
+            }
+        }
+        return buf.toString();
+    }
+
     public boolean abort() throws LoginException {
         return true;
     }

Reply via email to