Merge remote-tracking branch 'origin/develop'

2026-03-12 17:52:00 +08:00 · 2026-02-23 14:30:54 +00:00
parent f328da37bc 9ed5540c49
commit a15adc806b
1 changed files with 2 additions and 2 deletions
--- a/app/Models/Ldap.php
+++ b/app/Models/Ldap.php
@@ -195,7 +195,7 @@ class Ldap extends Model
        $connection = self::connectToLdap();
        $ldap_username_field = $settings->ldap_username_field;
        $baseDn = $settings->ldap_basedn;
-        $userDn = $ldap_username_field.'='.$username.','.$settings->ldap_basedn;
+        $userDn = $ldap_username_field . '=' . ldap_escape($username, '', LDAP_ESCAPE_DN) . ',' . $settings->ldap_basedn;

        if ($settings->is_ad == '1') {
            // Check if they are using the userprincipalname for the username field.
@@ -213,7 +213,7 @@ class Ldap extends Model
            }
        }

-        $filterQuery = $settings->ldap_auth_filter_query.$username;
+        $filterQuery = $settings->ldap_auth_filter_query . ldap_escape($username, '', LDAP_ESCAPE_FILTER);
        $filter = Setting::getSettings()->ldap_filter; //FIXME - this *does* respect the ldap filter, but I believe that AdLdap2 did *not*.
        $filterQuery = "({$filter}({$filterQuery}))";