Escape search input. Search by uid and cn.

2025-02-25 18:55:28 -06:00 · 2007-08-20 14:23:23 -07:00 · 2007-08-20 14:23:23 -07:00 · f5e30866d1
commit f5e30866d1
parent 6b69d9cc46
3 changed files with 25 additions and 3 deletions
--- a/ipa-server/ipa-gui/ipagui/controllers.py
+++ b/ipa-server/ipa-gui/ipagui/controllers.py
@ -1,6 +1,7 @@
 import random
 from pickle import dumps, loads
 from base64 import b64encode, b64decode
+import re

 import cherrypy
 import turbogears
@ -37,6 +38,22 @@ def utf8_encode(value):
        value = value.encode('utf-8')
    return value

+def ldap_search_escape(match):
+    """Escapes out nasty characters from the ldap search.
+       See RFC 2254."""
+    value = match.group()
+    if (len(value) != 1):
+        return u""
+
+    if value == u"(":
+        return u"\\28"
+    elif value == ")":
+        return u"\\29"
+    elif value == u"\\":
+        return u"\\5c"
+    else:
+        return value
+

 class Root(controllers.RootController):

@ -141,7 +158,12 @@ class Root(controllers.RootController):
        users = None
        uid = kw.get('uid')
        if uid != None and len(uid) > 0:
-            users = client.find_users(uid)
+            try:
+                uid = re.sub(r'[\(\)\\]', ldap_search_escape, uid)
+                users = client.find_users(uid.encode('utf-8'))
+            except xmlrpclib.Fault, f:
+                turbogears.flash("User show failed: " + str(f.faultString))
+                raise turbogears.redirect("/userlist")

        return dict(users=users, fields=forms.user.UserFields())

--- a/ipa-server/ipa-gui/ipagui/templates/userlist.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/userlist.kid
@ -8,7 +8,7 @@
 <body>
    <div id="search">
        <form action="${tg.url('/userlist')}" method="post">
-            Search by uid:
+            Search by login/name:
            <input type="text" name="uid" />
            <input type="submit" />
        </form>
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@ -346,7 +346,7 @@ class IPAServer:
    
        # FIXME: Is this the filter we want or do we want to do searches of
        # cn as well? Or should the caller pass in the filter?
-        filter = "(uid=%s)" % criteria
+        filter = "(|(uid=%s)(cn=%s))" % (criteria, criteria)
        try:
            m1 = _LDAPPool.getConn(self.host,self.port,self.bindca,self.bindcert,self.bindkey,dn)
            results = m1.getList(self.basedn, self.scope, filter, sattrs)