Several escaping fixes:

- illegal dn characters need to be escaped - null characters in search filters - dynamicedit.js was double html escaping (the python layer does it already)
2025-02-25 18:55:28 -06:00 · 2007-10-05 15:25:58 -07:00
parent 1be00394e3
commit b73f825657
2 changed files with 10 additions and 5 deletions
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -22,6 +22,7 @@ sys.path.append("/usr/share/ipa")

 import krbV
 import ldap
+import ldap.dn
 import ipaserver.dsinstance
 import ipaserver.ipaldap
 import ipa.ipautil
@@ -385,7 +386,8 @@ class IPAServer:
        if self.__is_user_unique(user['uid'], opts) == 0:
            raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)

-        dn="uid=%s,%s,%s" % (user['uid'], user_container,self.basedn)
+        dn="uid=%s,%s,%s" % (ldap.dn.escape_dn_chars(user['uid']),
+                             user_container,self.basedn)
        entry = ipaserver.ipaldap.Entry(dn)

        # FIXME: This should be dynamic and can include just about anything
@@ -688,7 +690,8 @@ class IPAServer:
        if self.__is_group_unique(group['cn'], opts) == 0:
            raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)

-        dn="cn=%s,%s,%s" % (group['cn'], group_container,self.basedn)
+        dn="cn=%s,%s,%s" % (ldap.dn.escape_dn_chars(group['cn']),
+                            group_container,self.basedn)
        entry = ipaserver.ipaldap.Entry(dn)

        # some required objectclasses
@@ -1055,5 +1058,7 @@ def ldap_search_escape(match):
    elif value == "*":
        # drop '*' from input.  search performs its own wildcarding
        return ""
+    elif value =='\x00':
+        return r'\00'
    else:
        return value