From 6efbe49439f9dff87133f14a8c64a96c0b637635 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Tue, 5 Jul 2022 16:59:27 +0100
Subject: [PATCH] EscapeFilter the group dn membership (#20200)

The uid provided to the group filter must be properly escaped using the provided
ldap.EscapeFilter function.

Fix #20181

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/auth/source/ldap/source_search.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 988d56005e..a97a1179d9 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -199,7 +199,7 @@ func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
 // List all group memberships of a user
 func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string) []string {
 	var ldapGroups []string
-	groupFilter := fmt.Sprintf("(%s=%s)", source.GroupMemberUID, uid)
+	groupFilter := fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
 	result, err := l.Search(ldap.NewSearchRequest(
 		source.GroupDN,
 		ldap.ScopeWholeSubtree,