Merge pull request #562 from jorgectf/fix-ldap-injection

Polish LDAP Injection fix

passhportd/app/views_mod/user/user.py

@@ -6,7 +6,7 @@
 
 from io import open
 from ldap3 import Server, Connection, ALL
-from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
 from flask import request
 from sqlalchemy import exc
 from sqlalchemy.orm import sessionmaker
@@ -28,7 +28,7 @@ def useruid(s, login):
 
     # Look for the user entry.
     if not c.search(config.LDAPBASE,
-                    "(" + config.LDAPFIELD + "=" + escape_rdn(login) + ")") :
+                    "(" + config.LDAPFIELD + "=" + escape_filter_chars(login) + ")") :
         app.logger.error("Error: Connection to the LDAP with service account failed")
     else:
         if len(c.entries) >= 1 :
@@ -49,7 +49,7 @@ def try_ldap_login(login, password):
     s = Server(config.LDAPURI, port=config.LDAPPORT,
                use_ssl=False, get_info=ALL)
     # 1. connection with service account to find the user uid
-    uid = useruid(s, escape_rdn(login))
+    uid = useruid(s, escape_filter_chars(login))
 
     if uid: 
         # 2. Try to bind the user to the LDAP