From dfc2867e11a17322f0b78db199f58f7011223315 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Thu, 16 Feb 2017 17:03:29 +0100
Subject: [PATCH] Added a caution note about the LDAP injection attacks

---
 security/ldap.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/security/ldap.rst b/security/ldap.rst
index 29b984b93d8..d2512428379 100644
--- a/security/ldap.rst
+++ b/security/ldap.rst
@@ -167,6 +167,13 @@ use the ``ldap`` user provider.
             ),
         );
 
+.. caution::
+
+    The Security component escapes values provided when binding against an LDAP
+    server (likewise for the user provider). However, the LDAP component does
+    not provide any other escaping, so it's your responsibility to prevent
+    the LDAP injection attacks.
+
 The ``ldap`` user provider supports many different configuration options:
 
 service