From c2771cbb452949fb5b1e921d8c051c59b024fc28 Mon Sep 17 00:00:00 2001
From: Alexandr Dubovikov <alexandr.dubovikov@gmail.com>
Date: Thu, 14 Dec 2017 15:16:58 +0100
Subject: [PATCH] Update LDAP.php

prevent some potentially leading to privilege escalation. Thanks go to Kaarle R.
---
 api/Authentication/LDAP.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api/Authentication/LDAP.php b/api/Authentication/LDAP.php
index 653af2e..f3f0c9d 100644
--- a/api/Authentication/LDAP.php
+++ b/api/Authentication/LDAP.php
@@ -72,8 +72,7 @@ class LDAP extends Authentication {
                 return array();
             }
         }
-
-        $r=@ldap_search( $ds, LDAP_BASEDN, LDAP_USERNAME_ATTRIBUTE_OPEN .$param['username'].LDAP_USERNAME_ATTRIBUTE_CLOSE);
+        $r=@ldap_search( $ds, LDAP_BASEDN, LDAP_USERNAME_ATTRIBUTE_OPEN.@ldap_escape($param['username']).LDAP_USERNAME_ATTRIBUTE_CLOSE);
         if ($r) {
             $result = @ldap_get_entries( $ds, $r);
 
-- 
2.14.3