From def0d56e4fbc1e85ba11efe1be5523735b81cfbc Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Mon, 26 Jan 2026 06:04:30 +0000
Subject: [PATCH] Merge r24366 from trunk to 6.0-stable (#43692).

git-svn-id: https://svn.redmine.org/redmine/branches/6.0-stable@24371 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/auth_source_ldap.rb     | 2 +-
 test/unit/auth_source_ldap_test.rb | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index df46ed085..576828470 100644
--- a/app/models/auth_source_ldap.rb
+++ b/app/models/auth_source_ldap.rb
@@ -228,7 +228,7 @@ class AuthSourceLdap < AuthSource
       ldap_con = initialize_ldap_con(self.account, self.account_password)
     end
     attrs = {}
-    search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login)
+    search_filter = base_filter & Net::LDAP::Filter.equals(self.attr_login, login)
     ldap_con.search(:base => self.base_dn,
                      :filter => search_filter,
                      :attributes=> search_attributes) do |entry|
diff --git a/test/unit/auth_source_ldap_test.rb b/test/unit/auth_source_ldap_test.rb
index a3a257b67..012ecd905 100644
--- a/test/unit/auth_source_ldap_test.rb
+++ b/test/unit/auth_source_ldap_test.rb
@@ -161,6 +161,13 @@ class AuthSourceLdapTest < ActiveSupport::TestCase
       assert_nil auth.authenticate('edavis', '123456')
     end
 
+    test '#authenticate with special characters in login should not allow filter manipulation' do
+      auth = AuthSourceLdap.find(1)
+
+      result = auth.authenticate("*", "123456")
+      assert_nil result
+    end
+
     def test_authenticate_should_timeout
       auth_source = AuthSourceLdap.find(1)
       auth_source.timeout = 1