[KARAF-4892] Encode user to avoid LDAP injection
[karaf.git] / jaas / modules / src / main / java / org / apache / karaf / jaas / modules / ldap / LDAPLoginModule.java
index 6d759e1..695b866 100644 (file)
@@ -71,7 +71,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
             throw new LoginException(unsupportedCallbackException.getMessage() + " not available to obtain information from user.");
         }
 
-        user = ((NameCallback) callbacks[0]).getName();
+        user = doRFC2254Encoding(((NameCallback) callbacks[0]).getName());
 
         char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
 
@@ -159,6 +159,34 @@ public class LDAPLoginModule extends AbstractKarafLoginModule {
         return true;
     }
 
+    protected String doRFC2254Encoding(String inputString) {
+        StringBuffer buf = new StringBuffer(inputString.length());
+        for (int i = 0; i < inputString.length(); i++) {
+            char c = inputString.charAt(i);
+            switch (c) {
+                case '\\':
+                    buf.append("\\5c");
+                    break;
+                case '*':
+                    buf.append("\\2a");
+                    break;
+                case '(':
+                    buf.append("\\28");
+                    break;
+                case ')':
+                    buf.append("\\29");
+                    break;
+                case '\0':
+                    buf.append("\\00");
+                    break;
+                default:
+                    buf.append(c);
+                    break;
+            }
+        }
+        return buf.toString();
+    }
+
     public boolean abort() throws LoginException {
         return true;
     }