llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-03 12:30:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix the SQL injection vulnerability in field filter (#442)

Browse Source 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
This commit is contained in:
Yixiang Zhao
2022-01-26 19:36:36 +08:00
committed by GitHub
parent 051752340d
commit 5ec0c7a890
14 changed files with 31 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
object/check.go
View File

@ -23,10 +23,14 @@ import (
goldap "github.com/go-ldap/ldap/v3"
)
var reWhiteSpace *regexp.Regexp
var (
reWhiteSpace *regexp.Regexp
reFieldWhiteList *regexp.Regexp
)
func init() {
reWhiteSpace, _ = regexp.Compile(`\s`)
reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
}
func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, email string, phone string, affiliation string) string {
@ -179,3 +183,7 @@ func CheckUserPassword(organization string, username string, password string) (*
return user, ""
}
func filterField(field string) bool {
return reFieldWhiteList.MatchString(field)
}