From c0b45fa36ff2b61a61a6c0f7e32f83f64cdb1a62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20Kemetm=C3=BCller?= <josef.kemetmueller@aon.at>
Date: Mon, 16 Apr 2018 23:19:45 +0200
Subject: [PATCH] ldap: return valid LDAP string if user input lacks "%s"
 (#5171)

If the user provides a string that does not contain "%s", fmt.Sprintf
silently appends "%!(EXTRA type=value)" instead of failing loudly.
This fixes #4375.
---
 pkg/auth/ldap/ldap.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/auth/ldap/ldap.go b/pkg/auth/ldap/ldap.go
index 3120b0ee9..5b9764607 100644
--- a/pkg/auth/ldap/ldap.go
+++ b/pkg/auth/ldap/ldap.go
@@ -56,7 +56,7 @@ func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
 		return "", false
 	}
 
-	return fmt.Sprintf(ls.Filter, username), true
+	return strings.Replace(ls.Filter, "%s", username, -1), true
 }
 
 func (ls *Source) sanitizedUserDN(username string) (string, bool) {
@@ -67,7 +67,7 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
 		return "", false
 	}
 
-	return fmt.Sprintf(ls.UserDN, username), true
+	return strings.Replace(ls.UserDN, "%s", username, -1), true
 }
 
 func (ls *Source) sanitizedGroupFilter(group string) (string, bool) {