From dffbc87278fce22b5f34847a0ff79ecb4e529364 Mon Sep 17 00:00:00 2001
From: dahn <daan@onecht.net>
Date: Tue, 10 Jan 2023 02:54:51 -0800
Subject: [PATCH] escapes for injection prtection (#7069)

---
 .../org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index 5fe27e50d4d..07d896a2c84 100644
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -83,7 +83,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         String memberOfAttribute = _ldapConfiguration.getUserMemberOfAttribute(domainId);
@@ -154,7 +154,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         groupNameFilter.append("(");
         groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
         groupNameFilter.append("=");
-        groupNameFilter.append((groupName == null ? "*" : groupName));
+        groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)));
         groupNameFilter.append(")");
 
         final StringBuilder result = new StringBuilder();
@@ -194,7 +194,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         final StringBuilder memberOfFilter = new StringBuilder();