From c738c86fd1a5d0f90e2135528ea0bd24dd870e75 Mon Sep 17 00:00:00 2001
From: gered <gered@blarg.ca>
Date: Fri, 28 Jun 2019 11:40:10 -0400
Subject: [PATCH] apply ldap filtering rules to values being substituted into
 ldap filters

---
 group/service.go | 4 ++++
 user/service.go  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/group/service.go b/group/service.go
index 4ae2d6d..ee12420 100644
--- a/group/service.go
+++ b/group/service.go
@@ -4,6 +4,8 @@ import (
 	"strings"
 
 	"github.com/tiagoapimenta/nginx-ldap-auth/ldap"
+
+	gldap "gopkg.in/ldap.v2"
 )
 
 type Service struct {
@@ -23,6 +25,8 @@ func NewService(pool *ldap.Pool, base, filter, attr string) *Service {
 }
 
 func (p *Service) Find(id string) ([]string, error) {
+	id = gldap.EscapeFilter(id)
+
 	ok, _, groups, err := p.pool.Search(
 		p.base,
 		strings.Replace(p.filter, "{0}", id, -1),
diff --git a/user/service.go b/user/service.go
index dbf1c6a..04b402c 100644
--- a/user/service.go
+++ b/user/service.go
@@ -4,6 +4,8 @@ import (
 	"strings"
 
 	"github.com/tiagoapimenta/nginx-ldap-auth/ldap"
+
+	gldap "gopkg.in/ldap.v2"
 )
 
 type Service struct {
@@ -21,6 +23,8 @@ func NewService(pool *ldap.Pool, base, filter string) *Service {
 }
 
 func (p *Service) Find(username string) (bool, string, error) {
+	username = gldap.EscapeFilter(username)
+
 	ok, id, _, err := p.pool.Search(
 		p.base,
 		strings.Replace(p.filter, "{0}", username, -1),