Successful LDAP authentication with wildcard Login

Description

I have a CAS server configured with a LDAP authentication handler like this :

<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u" />
...
</bean>

When i enter a login with * wildcard character (e.g. 'mu*' instead of 'murray') with a correct password, authentication is successful (which can be a security hole).

The issue seems to be in the org.jasig.cas.util.LdapUtils#getFilterWithValues() method.

For information, if i replace
final String value = LdapEncoder.nameEncode(properties.get(key));
by
final String value = LdapEncoder.filterEncode(properties.get(key));
the issue is fixed

Environment

None

Assignee

Marvin Addison

Reporter

Antoine Mollard

Labels

None

Estimated End Date

None

Components

Affects versions

Priority

Major
Configure