From 60d3c66a8b984a0e494d41ba97c63903762c799d Mon Sep 17 00:00:00 2001
From: Arik Fraimovich <arik.fraimovich@databricks.com>
Date: Sat, 18 May 2024 07:36:29 -0700
Subject: [PATCH] Merge pull request from GHSA-32fw-wc7f-7qg9

---
 redash/authentication/ldap_auth.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py
index 1a19cce05bf..3bc5ff272f6 100644
--- a/redash/authentication/ldap_auth.py
+++ b/redash/authentication/ldap_auth.py
@@ -8,6 +8,7 @@
 
 try:
     from ldap3 import Connection, Server
+    from ldap3.utils.conv import escape_filter_chars
 except ImportError:
     if settings.LDAP_LOGIN_ENABLED:
         sys.exit(
@@ -69,6 +70,7 @@ def login(org_slug=None):
 
 
 def auth_ldap_user(username, password):
+    clean_username = escape_filter_chars(username)
     server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
     if settings.LDAP_BIND_DN is not None:
         conn = Connection(
@@ -83,7 +85,7 @@ def auth_ldap_user(username, password):
 
     conn.search(
         settings.LDAP_SEARCH_DN,
-        settings.LDAP_SEARCH_TEMPLATE % {"username": username},
+        settings.LDAP_SEARCH_TEMPLATE % {"username": clean_username},
         attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY],
     )