Move ldap search filter escaping into the funcs.py layer.

This commit is contained in:
Kevin McCarthy 2007-08-21 14:26:36 -07:00
parent ac926646ea
commit a8f302aa9f
2 changed files with 26 additions and 19 deletions

View File

@ -1,7 +1,6 @@
import random
from pickle import dumps, loads
from base64 import b64encode, b64decode
import re
import cherrypy
import turbogears
@ -38,22 +37,6 @@ def utf8_encode(value):
value = value.encode('utf-8')
return value
def ldap_search_escape(match):
"""Escapes out nasty characters from the ldap search.
See RFC 2254."""
value = match.group()
if (len(value) != 1):
return u""
if value == u"(":
return u"\\28"
elif value == u")":
return u"\\29"
elif value == u"\\":
return u"\\5c"
else:
return value
class Root(controllers.RootController):
@ -159,7 +142,6 @@ class Root(controllers.RootController):
uid = kw.get('uid')
if uid != None and len(uid) > 0:
try:
uid = re.sub(r'[\(\)\\]', ldap_search_escape, uid)
users = client.find_users(uid.encode('utf-8'))
except xmlrpclib.Fault, f:
turbogears.flash("User show failed: " + str(f.faultString))

View File

@ -29,6 +29,7 @@ from types import *
import xmlrpclib
import ipa.config
import os
import re
# Need a global to store this between requests
_LDAPPool = None
@ -343,7 +344,14 @@ class IPAServer:
raise xmlrpclib.Fault(1, e)
except ipaserver.ipaldap.NoSuchEntryError:
raise xmlrpclib.Fault(2, "No such user")
# TODO: this escaper assumes the python-ldap library will error out
# on invalid codepoints. we need to check malformed utf-8 input
# where the second byte in a multi-byte character
# is (illegally) ')' and make sure python-ldap
# bombs out.
criteria = re.sub(r'[\(\)\\]', ldap_search_escape, criteria)
# FIXME: Is this the filter we want or do we want to do searches of
# cn as well? Or should the caller pass in the filter?
filter = "(|(uid=%s)(cn=%s))" % (criteria, criteria)
@ -459,3 +467,20 @@ class IPAServer:
return res
except ldap.LDAPError, e:
raise xmlrpclib.Fault(1, str(e))
def ldap_search_escape(match):
"""Escapes out nasty characters from the ldap search.
See RFC 2254."""
value = match.group()
if (len(value) != 1):
return ""
if value == "(":
return "\\28"
elif value == ")":
return "\\29"
elif value == "\\":
return "\\5c"
else:
return value