diff --git a/ldap_frontend/__init__.py b/ldap_frontend/__init__.py index 2bb2148..d20b80b 100644 --- a/ldap_frontend/__init__.py +++ b/ldap_frontend/__init__.py @@ -4,6 +4,7 @@ from os import environ from flask import Flask, flash, redirect, request, session, url_for from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE from ldap3.core.exceptions import LDAPException +from ldap3.utils.dn import escape_rdn from .helpers.flask import template from .helpers.ldap import ( @@ -35,11 +36,11 @@ def login(): if request.method == "POST": if try_auth( - request.form["username"], + escape_rdn(request.form["username"]), request.form["password"], ): session["is_logged_in"] = True - session["username"] = request.form["username"] + session["username"] = escape_rdn(request.form["username"]) session["password"] = request.form["password"] flash("logged in") @@ -119,12 +120,11 @@ def selfservice(ldap): flash("password changed") except LDAPException as e: app.logger.error( - "Updating {} failed: {}\n{}".format( + "Updating {} failed: {}".format( APP_CONFIG["template"]["user_dn"].format( session["username"] ), repr(e), - repr(request.form), ), ) flash(e) @@ -154,6 +154,8 @@ def groups(ldap): @app.route("/groups/", methods=["GET", "POST"]) @admin_required def group_edit(ldap, ou): + ou = escape_rdn(ou) + if request.method == "POST": if request.form.get("remove"): ldap.modify( @@ -163,7 +165,7 @@ def group_edit(ldap, ou): ( MODIFY_DELETE, APP_CONFIG["template"]["user_dn"].format( - request.form["remove"] + escape_rdn(request.form["remove"]) ), ) ] @@ -178,7 +180,7 @@ def group_edit(ldap, ou): ( MODIFY_ADD, APP_CONFIG["template"]["user_dn"].format( - request.form["add"] + escape_rdn(request.form["add"]) ), ) ]