Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

request #24168: Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists

Download Browse

This is a follow up to git #tuleap/stable/bd47f29847fcd6a68d359bc8aefb8749bb8a1b7c the initial fix was incomplete. Issue was identified thanks to Psalm taint analysis. Change-Id: I695be7d006e0cabdb9d4804f62772b0d88f3ffc0

+9 −1
Thomas Gerbet (tgerbet) 2021-11-23 15:14
Thomas Gerbet (tgerbet) 2021-11-23 15:14
64e77561eba9f8233199c2962b3497ed7294a7d2
9fa45da96b7d93c76c8a54bf9084dc4675fa8324
git #tuleap/stable/64e77561eba9f8233199c2962b3497ed7294a7d2

Modified Files

Side by side diff
Inline diff
Name
M plugins/ldap/include/LDAP_ProjectGroupDao.class.php +3 −0 Go to diff View file
M plugins/ldap/include/LDAP_UserManager.class.php +1 −1 Go to diff View file
M src/common/DB/Compat/Legacy2018/CompatPDODataAccess.php +3 −0 Go to diff View file
M src/common/DB/Compat/Legacy2018/LegacyDataAccessInterface.php +2 −0 Go to diff View file