This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 99a1a49 Ensure that interpolated LDAP variables are always escaped
99a1a49 is described below
commit 99a1a49007a9d8bb5a93e831f05a8f82edd89004
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Jan 13 20:13:24 2026 +0000
Ensure that interpolated LDAP variables are always escaped
---
atr/admin/__init__.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/atr/admin/__init__.py b/atr/admin/__init__.py
index 0ce76e0..fcaca5c 100644
--- a/atr/admin/__init__.py
+++ b/atr/admin/__init__.py
@@ -32,6 +32,7 @@ import asfquart
import asfquart.base as base
import asfquart.session
import htpy
+import ldap3.utils.conv as conv
import pydantic
import quart
import sqlalchemy.orm as orm
@@ -1010,11 +1011,12 @@ async def
_get_filesystem_dirs_unfinished(filesystem_dirs: list[str]) -> None:
def _get_user_committees_from_ldap(uid: str, bind_dn: str, bind_password: str)
-> set[str]:
+ escaped_uid = conv.escape_filter_chars(uid)
with ldap.Search(bind_dn, bind_password) as ldap_search:
result = ldap_search.search(
ldap_base="ou=project,ou=groups,dc=apache,dc=org",
ldap_scope="SUBTREE",
-
ldap_query=f"(|(ownerUid={uid})(owner=uid={uid},ou=people,dc=apache,dc=org))",
+
ldap_query=f"(|(ownerUid={escaped_uid})(owner=uid={escaped_uid},ou=people,dc=apache,dc=org))",
ldap_attrs=["cn"],
)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
