mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 08:06:30 -06:00
Move ldap search filter escaping into the funcs.py layer.
This commit is contained in:
parent
ac926646ea
commit
a8f302aa9f
@ -1,7 +1,6 @@
|
||||
import random
|
||||
from pickle import dumps, loads
|
||||
from base64 import b64encode, b64decode
|
||||
import re
|
||||
|
||||
import cherrypy
|
||||
import turbogears
|
||||
@ -38,22 +37,6 @@ def utf8_encode(value):
|
||||
value = value.encode('utf-8')
|
||||
return value
|
||||
|
||||
def ldap_search_escape(match):
|
||||
"""Escapes out nasty characters from the ldap search.
|
||||
See RFC 2254."""
|
||||
value = match.group()
|
||||
if (len(value) != 1):
|
||||
return u""
|
||||
|
||||
if value == u"(":
|
||||
return u"\\28"
|
||||
elif value == u")":
|
||||
return u"\\29"
|
||||
elif value == u"\\":
|
||||
return u"\\5c"
|
||||
else:
|
||||
return value
|
||||
|
||||
|
||||
class Root(controllers.RootController):
|
||||
|
||||
@ -159,7 +142,6 @@ class Root(controllers.RootController):
|
||||
uid = kw.get('uid')
|
||||
if uid != None and len(uid) > 0:
|
||||
try:
|
||||
uid = re.sub(r'[\(\)\\]', ldap_search_escape, uid)
|
||||
users = client.find_users(uid.encode('utf-8'))
|
||||
except xmlrpclib.Fault, f:
|
||||
turbogears.flash("User show failed: " + str(f.faultString))
|
||||
|
@ -29,6 +29,7 @@ from types import *
|
||||
import xmlrpclib
|
||||
import ipa.config
|
||||
import os
|
||||
import re
|
||||
|
||||
# Need a global to store this between requests
|
||||
_LDAPPool = None
|
||||
@ -343,7 +344,14 @@ class IPAServer:
|
||||
raise xmlrpclib.Fault(1, e)
|
||||
except ipaserver.ipaldap.NoSuchEntryError:
|
||||
raise xmlrpclib.Fault(2, "No such user")
|
||||
|
||||
|
||||
# TODO: this escaper assumes the python-ldap library will error out
|
||||
# on invalid codepoints. we need to check malformed utf-8 input
|
||||
# where the second byte in a multi-byte character
|
||||
# is (illegally) ')' and make sure python-ldap
|
||||
# bombs out.
|
||||
criteria = re.sub(r'[\(\)\\]', ldap_search_escape, criteria)
|
||||
|
||||
# FIXME: Is this the filter we want or do we want to do searches of
|
||||
# cn as well? Or should the caller pass in the filter?
|
||||
filter = "(|(uid=%s)(cn=%s))" % (criteria, criteria)
|
||||
@ -459,3 +467,20 @@ class IPAServer:
|
||||
return res
|
||||
except ldap.LDAPError, e:
|
||||
raise xmlrpclib.Fault(1, str(e))
|
||||
|
||||
|
||||
def ldap_search_escape(match):
|
||||
"""Escapes out nasty characters from the ldap search.
|
||||
See RFC 2254."""
|
||||
value = match.group()
|
||||
if (len(value) != 1):
|
||||
return ""
|
||||
|
||||
if value == "(":
|
||||
return "\\28"
|
||||
elif value == ")":
|
||||
return "\\29"
|
||||
elif value == "\\":
|
||||
return "\\5c"
|
||||
else:
|
||||
return value
|
||||
|
Loading…
Reference in New Issue
Block a user