[Coquelicot] [PATCH] Add LDAP authentication (with uid lookup)
Rowan Thorpe
rowan at rowanthorpe.com
Tue May 6 17:09:16 CEST 2014
On 16:51 Tue 06 May 2014, Lunar wrote:
> > ..[snip]..
> > + result = ldap.bind_as( :base => settings.ldap_base,
> > + :filter => "(uid=" + params[:ldap_user] + ")",
> > + :password => params[:ldap_password] )
>
> This code puts a user controlled string directly into the filter. Bad
> idea. Net::Ldap::Filter provides an `escape` method which is made for
> these occasions.
Wow, how did I miss that(!) Even being a relative non-ruby developor is not
much of an excuse... Thanks for spotting it, and reminding me of the dangers of
late-night coding in unfamiliar languages ;-)
I guess I'll go and drop some tables now - https://xkcd.com/327/
--
Rowan Thorpe
PGP fingerprint:
BB0A 0787 C0EE BDD8 7F97 3D30 49F2 13A5 265D CCBD
More information about the Coquelicot
mailing list