mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
13 lines
496 B
Python
13 lines
496 B
Python
# Unsafe: tainted form data concatenated into an LDAP filter and passed to
|
|
# python-ldap's `search_s`. The bound receiver `conn` is typed as LdapClient
|
|
# via `ldap.initialize`, and the suffix matcher on `search_s` also catches the
|
|
# call directly.
|
|
import ldap
|
|
from flask import request
|
|
|
|
|
|
def lookup():
|
|
conn = ldap.initialize("ldap://example.com")
|
|
user = request.form["user"]
|
|
flt = "(uid=" + user + ")"
|
|
return conn.search_s("ou=people,dc=example,dc=com", ldap.SCOPE_SUBTREE, flt)
|