search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

Fix escaping in LDAP search strings [CVE-2020-14013] #239

Open onovy opened 4 years ago

onovy commented 4 years ago

When username contains any special character (parentheses, asterisk, ...) user search will fail.

When returned DN of user contains any escaped character (for example ",") group filter will fail.

Example:

(&(CN=group)(member=CN=dummy\, dummy2,OU=ou,DC=dc))"

Which is wrong and doesn't work with Active directory.

Correct is:

(&(CN=group)(member=CN=dummy\5C, dummy2,OU=ou,DC=dc))"

This patch fixies both of these bugs by using ldap_bv2escaped_filter_value from LDAP client to escape all of filter values.

See: https://tools.ietf.org/search/rfc2254#page-5 Fixes #224 fixes #180

CVE-2020-14013

sc29872001 commented 1 year ago

I encountered the error during make install with this module.

/root/nginx-auth-ldap/ngx_http_auth_ldap_module.c: In function ‘ngx_http_auth_ldap_escape_filter’:
/root/nginx-auth-ldap/ngx_http_auth_ldap_module.c:766:19: error: pointer targets in assignment differ in signedness [-Werror=pointer-sign]
     userbv.bv_val = in->data;
                   ^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/nginx-auth-ldap/ngx_http_auth_ldap_module.o] Error 1
make[1]: Leaving directory `/root/nginx-1.20.1'
make: *** [build] Error 2