Skip to content

branch-4.1:[fix](ldap) Replace custom LDAP filter escaping with LdapEncoder.filterEncode to prevent injection vulnerabilities and add related documentation. (#61662)#61774

Merged
yiguolei merged 1 commit intoapache:branch-4.1from
seawinde:pick-61662-branch-4.1
Mar 27, 2026
Merged

Conversation

@seawinde
Copy link
Member

@seawinde seawinde commented Mar 26, 2026

pr #61662

@seawinde
[fix](ldap) Replace custom LDAP filter escaping with `LdapEncoder.fil…
9ee1876 
…terEncode` to prevent injection vulnerabilities and add related documentation. (apache#61662)

When constructing LDAP search filters, the {login} placeholder in
ldap_user_filter and ldap_group_filter is replaced with the raw
username. If the username contains LDAP filter special characters (*, (,
), \, NUL), these characters are interpreted as part of the filter
syntax rather than literal values, which may cause unexpected query
behavior or incorrect search results.

This PR ensures all {login} substitutions are properly escaped per RFC
4515 using Spring LDAP's built-in LdapEncoder.filterEncode(), covering
both the fe-core main authentication path and the fe-authentication
plugin path.
@seawinde seawinde requested a review from yiguolei as a code owner March 26, 2026 11:41
@Thearas
Copy link
Contributor

Thearas commented Mar 26, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@seawinde
Copy link
Member Author

seawinde commented Mar 26, 2026

run buildall

@seawinde seawinde changed the title [fix](ldap) Replace custom LDAP filter escaping with LdapEncoder.filterEncode to prevent injection vulnerabilities and add related documentation. (#61662) branch-4.1:[fix](ldap) Replace custom LDAP filter escaping with LdapEncoder.filterEncode to prevent injection vulnerabilities and add related documentation. (#61662) Mar 26, 2026
@yiguolei
Copy link
Contributor

yiguolei commented Mar 27, 2026

skip buildall

@github-actions
Copy link
Contributor

github-actions bot commented Mar 27, 2026

PR approved by at least one committer and no changes requested.

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Mar 27, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 27, 2026

PR approved by anyone and no changes requested.

@yiguolei yiguolei merged commit 75dba01 into apache:branch-4.1 Mar 27, 2026
29 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei yiguolei approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by one committer. reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seawinde @Thearas @yiguolei