From 71f691b2081a7f0a29ea5c3e852facfed1c8475e Mon Sep 17 00:00:00 2001
From: Felix Eckhofer <felix@eckhofer.com>
Date: Sat, 25 Feb 2023 20:27:52 +0100
Subject: [PATCH] Fix potential ldap injection

Signed-off-by: Felix Eckhofer <felix@eckhofer.com>
---
 examples/ldapauth/main.go                 | 2 +-
 examples/ldapauthserver/httpd/ldapauth.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/ldapauth/main.go b/examples/ldapauth/main.go
index fcaaa164..31531043 100644
--- a/examples/ldapauth/main.go
+++ b/examples/ldapauth/main.go
@@ -97,7 +97,7 @@ func main() {
 
 	// search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration
 	log.Printf("username=%s\n", username)
-	searchFilter := fmt.Sprintf("(uid=%s)", username)
+	searchFilter := fmt.Sprintf("(uid=%s)", ldap.EscapeFilter(username))
 	searchRequest := ldap.NewSearchRequest(
 		"ou=people," + rootDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
diff --git a/examples/ldapauthserver/httpd/ldapauth.go b/examples/ldapauthserver/httpd/ldapauth.go
index f4a4ae1e..58bef787 100644
--- a/examples/ldapauthserver/httpd/ldapauth.go
+++ b/examples/ldapauthserver/httpd/ldapauth.go
@@ -78,7 +78,7 @@ func checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {
 	searchRequest := ldap.NewSearchRequest(
 		ldapConfig.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		strings.Replace(ldapConfig.SearchFilter, "%s", authReq.Username, 1),
+		strings.Replace(ldapConfig.SearchFilter, "%s", ldap.EscapeFilter(authReq.Username), 1),
 		ldapConfig.SearchBaseAttrs,
 		nil,
 	)