Escape wildcards when searching LDAP by username.

3 files changed, 4 insertions, 1 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 37aee53bc0a..59846b778e1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -20,6 +20,7 @@ v 7.9.0 (unreleased)
   - Add brakeman (security scanner for Ruby on Rails)
   - Slack username and channel options
   - Add grouped milestones from all projects to dashboard.
+  - Escape wildcards when searching LDAP by username.
 
 v 7.8.1
   - Fix run of custom post receive hooks
diff --git a/lib/gitlab/ldap/authentication.rb b/lib/gitlab/ldap/authentication.rb
index 8af2c74e959..649cf3194b8 100644
--- a/lib/gitlab/ldap/authentication.rb
+++ b/lib/gitlab/ldap/authentication.rb
@@ -50,7 +50,7 @@ module Gitlab
       end
 
       def user_filter(login)
-        filter = Net::LDAP::Filter.eq(config.uid, login)
+        filter = Net::LDAP::Filter.equals(config.uid, login)
 
         # Apply LDAP user filter if present
         if config.user_filter.present?
diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb
index 3e0b3e6cbf8..3c426179375 100644
--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -9,10 +9,12 @@ module Gitlab
       attr_accessor :entry, :provider
 
       def self.find_by_uid(uid, adapter)
+        uid = Net::LDAP::Filter.escape(uid)
         adapter.user(adapter.config.uid, uid)
       end
 
       def self.find_by_dn(dn, adapter)
+        dn = Net::LDAP::Filter.escape(dn)
         adapter.user('dn', dn)
       end