From ebcb49977204bea8785fa26c0bf4212acb0b1347 Mon Sep 17 00:00:00 2001
From: Steven Weathers <steven@weathers.me>
Date: Mon, 1 Nov 2021 21:21:04 -0400
Subject: [PATCH] Fix LDAP vulnerability

---
 auth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth.go b/auth.go
index 928e561..fd3a417 100644
--- a/auth.go
+++ b/auth.go
@@ -68,7 +68,7 @@ func (s *server) authAndCreateUserLdap(userUsername string, userPassword string)
 
 	searchRequest := ldap.NewSearchRequest(viper.GetString("auth.ldap.basedn"),
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf(viper.GetString("auth.ldap.filter"), userUsername),
+		fmt.Sprintf(viper.GetString("auth.ldap.filter"), ldap.EscapeFilter(userUsername)),
 		[]string{"dn", viper.GetString("auth.ldap.mail_attr"), viper.GetString("auth.ldap.cn_attr")},
 		nil,
 	)