[Coquelicot] [PATCH] Add LDAP authentication (with uid lookup)

Rowan Thorpe rowan at rowanthorpe.com
Tue May 6 17:09:16 CEST 2014


On 16:51 Tue 06 May 2014, Lunar wrote:
> > ..[snip]..
> > +        result = ldap.bind_as( :base => settings.ldap_base,
> > +                               :filter => "(uid=" + params[:ldap_user] + ")",
> > +                               :password => params[:ldap_password] )
> 
> This code puts a user controlled string directly into the filter. Bad
> idea. Net::Ldap::Filter provides an `escape` method which is made for
> these occasions.

Wow, how did I miss that(!) Even being a relative non-ruby developor is not
much of an excuse... Thanks for spotting it, and reminding me of the dangers of
late-night coding in unfamiliar languages ;-)

I guess I'll go and drop some tables now - https://xkcd.com/327/

-- 
Rowan Thorpe
PGP fingerprint:
 BB0A 0787 C0EE BDD8 7F97  3D30 49F2 13A5 265D CCBD


More information about the Coquelicot mailing list