shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lhazlew...@apache.org
Subject svn commit: r887987 - /incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
Date Mon, 07 Dec 2009 16:28:02 GMT
Author: lhazlewood
Date: Mon Dec  7 16:28:00 2009
New Revision: 887987

URL: http://svn.apache.org/viewvc?rev=887987&view=rev
Log:
SHIRO-115 - applied suggested code to prevent code injection

Modified:
    incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java

Modified: incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
URL: http://svn.apache.org/viewvc/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java?rev=887987&r1=887986&r2=887987&view=diff
==============================================================================
--- incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
(original)
+++ incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java
Mon Dec  7 16:28:00 2009
@@ -169,9 +169,11 @@
             userPrincipalName += principalSuffix;
         }
 
-        String searchFilter = "(&(objectClass=*)(userPrincipalName=" + userPrincipalName
+ "))";
+        //SHIRO-115 - prevent potential code injection:
+        String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";
+        Object[] searchArguments = new Object[]{userPrincipalName};
 
-        NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchCtls);
+        NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchArguments,
searchCtls);
 
         while (answer.hasMoreElements()) {
             SearchResult sr = (SearchResult) answer.next();



Mime
View raw message