I have a CAS server configured with a LDAP authentication handler like this :
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u" />
When i enter a login with * wildcard character (e.g. 'mu*' instead of 'murray') with a correct password, authentication is successful (which can be a security hole).
The issue seems to be in the org.jasig.cas.util.LdapUtils#getFilterWithValues() method.
For information, if i replace
final String value = LdapEncoder.nameEncode(properties.get(key));
final String value = LdapEncoder.filterEncode(properties.get(key));
the issue is fixed
Thanks for filing this issue. I will attempt to reproduce and add test coverage for this case. Not sure if a fix will make the 3.4.x branch, but 3.5.x for sure. I should note that this does not affect 4.0 since we're using a new LDAP provider, ldaptive, which performs search filter construction differently.
Pull request with proposed fix above:
I have verified this fixes the reported behavior. Here are some logs from testing with the VT overlay.
Note multiple results are returned, which would be expected since the wildcard character is not escaped. Multiple search results are prevented by default in CAS, which arguably provides adequate protection in most cases.
Note here that the wildcard character is properly escaped.
All Open JIRA issues are now moved to Github, and tracked under Github Issues. The migration is now complete. Please use Github issue tracking to file and track issues. JIRA issues will be closed.
The URL address for Github issues of the CAS project is: