apache · orbisai0security · May 6, 2026
diff --git a/...riftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java b/...riftserver/src/main/java/org/apache/hive/service/auth/LdapAuthenticationProviderImpl.java
@@ -65,14 +65,14 @@ public void Authenticate(String user, String password) throws AuthenticationExce
     List<String> candidatePrincipals = new ArrayList<>();
     if (Utils.isBlank(userDNPattern)) {
       if (Utils.isNotBlank(baseDN)) {
-        String pattern = "uid=" + user + "," + baseDN;
+        String pattern = "uid=" + escapeLdapDN(user) + "," + baseDN;
         candidatePrincipals.add(pattern);
       }
     } else {
       String[] patterns = userDNPattern.split(":");
       for (String pattern : patterns) {
         if (pattern.contains(",") && pattern.contains("=")) {
-          candidatePrincipals.add(pattern.replaceAll("%s", user));
+          candidatePrincipals.add(pattern.replace("%s", escapeLdapDN(user)));
         }
       }
     }
@@ -108,4 +108,27 @@ public void Authenticate(String user, String password) throws AuthenticationExce
   private boolean hasDomain(String userName) {
     return (ServiceUtils.indexOfDomainMatch(userName) > 0);
   }
+
+  /**
+   * Escapes special characters in an LDAP DN attribute value per RFC 4514
+   * to prevent LDAP injection attacks.
+   */
+  private static String escapeLdapDN(String value) {
+    StringBuilder sb = new StringBuilder();
+    for (int i = 0; i < value.length(); i++) {
+      char c = value.charAt(i);
+      switch (c) {
+        case '\\': sb.append("\\\\"); break;
+        case ',':  sb.append("\\,");  break;
+        case '+':  sb.append("\\+");  break;
+        case '"':  sb.append("\\\""); break;
+        case '<':  sb.append("\\<");  break;
+        case '>':  sb.append("\\>");  break;
+        case ';':  sb.append("\\;");  break;
+        case '\0': sb.append("\\00"); break;
+        default:   sb.append(c);      break;
+      }
+    }
+    return sb.toString();
+  }
 }