Re: [Coquelicot] [PATCH] Add LDAP authentication (with uid lookup)

On 16:51 Tue 06 May 2014, Lunar wrote:

...

..[snip]..

•    result = ldap.bind_as( :base => settings.ldap_base,
  

•                           :filter => "(uid=" + params[:ldap_user] + ")",
  

•                           :password => params[:ldap_password] )
  

This code puts a user controlled string directly into the filter. Bad idea. Net::Ldap::Filter provides an `escape` method which is made for these occasions.

Wow, how did I miss that(!) Even being a relative non-ruby developor is not much of an excuse... Thanks for spotting it, and reminding me of the dangers of late-night coding in unfamiliar languages ;-)

I guess I'll go and drop some tables now - https://xkcd.com/327/