Omitting %s from LDAP search filter results in corrupt search filter

[Salvoxia]

Syncthing Version

Syncthing version: v1.23.7, AMD64 Docker Container

What Happened

This seems similar to #8899, but for the LDAP search filter.
Configuring an LDAP search filter without the %s placeholder results in a warning message in the log file and a corrupt search filter sent to the LDAP server. Logging in with LDAP fails. I could not find the search filter in the LDAP log files though, but that might be due to the behavior of my LDAP server when receiving a corrupt search filter.

If %s is used in LDAP search filter, everything works.

Does not work:

(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com)

Message in Syncthing log reads

WARNING: LDAP Search: LDAP Result Code 201 "Filter Compile Error": ldap: finished compiling filter with extra at end: %!(EXTRA string=myUser)

Works:

(&(sAMAccountName=%s)(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com))

What Is Expected

If %s is omitted from LDAP search filter, send it as configured without any processing.

Reproduction

• Configure an LDAP search filter without a %s placeholder
• Enable LDAP auth
• Login fails, find warning in Syncthing logs, possibly in LDAP logs depending on LDAP server

[calmh]

While I can agree this could behave better, (memberOf=CN=Syncthing,CN=Users,DC=example,DC=com) isn't a useful search filter -- it just says that there should exist a member of that group, but states nothing about the relation between the group and the user logging in. What's the point?

[Salvoxia]

My scenario is as follows:
LDAP users that are not explicitly granted search privileges cannot see other users.
Since Syncthing performs the search with the user trying to log in instead of an explicit search bind DN, that user can only see itself. So the search filter is only there to ensure correct group membership.
Also, users can bind with user name or mail address, so users can choose whether to log in by user or mail.

The obvious workaround is to use a filter like
(&(|(mail=%s)(cn=%s))(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com)) which works just fine, but given the circumstances overcomplicates things.
I figured I'd report that abnormal behavior anyway.

[Salvoxia]

The obvious workaround is to use a filter like
(&(|(mail=%s)(cn=%s))(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com)) which works just fine

Correction: It seems that multiple uses of %s are not supported in the filter, but it must occur exactly once. All following %s are replaced with %!s(MISSING), resulting in a corrupt filter:
(&(|(mail=myuser@domain.com)(cn=%!s(MISSING)))(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com))