[Freeipa-devel] [PATCH] Move search filter into funcs.py layer
Kevin McCarthy
kmccarth at redhat.com
Tue Aug 21 21:27:37 UTC 2007
This moves search filter escaping into the funcs.py layer to xmlrpc and
turbogears both get it.
Added a TODO - we need to make sure no one can sneak an illegal
character past using illegal utf-8.
-Kevin
-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1187731596 25200
# Node ID 73408239806672d3b337e569412e18f0f63d2b49
# Parent 28fd4e8ec3341d4da11383f439a0286b1c36b2ec
Move ldap search filter escaping into the funcs.py layer.
diff -r 28fd4e8ec334 -r 734082398066 ipa-server/ipa-gui/ipagui/controllers.py
--- a/ipa-server/ipa-gui/ipagui/controllers.py Tue Aug 21 13:54:30 2007 -0700
+++ b/ipa-server/ipa-gui/ipagui/controllers.py Tue Aug 21 14:26:36 2007 -0700
@@ -1,7 +1,6 @@ import random
import random
from pickle import dumps, loads
from base64 import b64encode, b64decode
-import re
import cherrypy
import turbogears
@@ -37,22 +36,6 @@ def utf8_encode(value):
if value != None:
value = value.encode('utf-8')
return value
-
-def ldap_search_escape(match):
- """Escapes out nasty characters from the ldap search.
- See RFC 2254."""
- value = match.group()
- if (len(value) != 1):
- return u""
-
- if value == u"(":
- return u"\\28"
- elif value == u")":
- return u"\\29"
- elif value == u"\\":
- return u"\\5c"
- else:
- return value
class Root(controllers.RootController):
@@ -159,7 +142,6 @@ class Root(controllers.RootController):
uid = kw.get('uid')
if uid != None and len(uid) > 0:
try:
- uid = re.sub(r'[\(\)\\]', ldap_search_escape, uid)
users = client.find_users(uid.encode('utf-8'))
except xmlrpclib.Fault, f:
turbogears.flash("User show failed: " + str(f.faultString))
diff -r 28fd4e8ec334 -r 734082398066 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py Tue Aug 21 13:54:30 2007 -0700
+++ b/ipa-server/xmlrpc-server/funcs.py Tue Aug 21 14:26:36 2007 -0700
@@ -29,6 +29,7 @@ import xmlrpclib
import xmlrpclib
import ipa.config
import os
+import re
# Need a global to store this between requests
_LDAPPool = None
@@ -343,7 +344,14 @@ class IPAServer:
raise xmlrpclib.Fault(1, e)
except ipaserver.ipaldap.NoSuchEntryError:
raise xmlrpclib.Fault(2, "No such user")
-
+
+ # TODO: this escaper assumes the python-ldap library will error out
+ # on invalid codepoints. we need to check malformed utf-8 input
+ # where the second byte in a multi-byte character
+ # is (illegally) ')' and make sure python-ldap
+ # bombs out.
+ criteria = re.sub(r'[\(\)\\]', ldap_search_escape, criteria)
+
# FIXME: Is this the filter we want or do we want to do searches of
# cn as well? Or should the caller pass in the filter?
filter = "(|(uid=%s)(cn=%s))" % (criteria, criteria)
@@ -459,3 +467,20 @@ class IPAServer:
return res
except ldap.LDAPError, e:
raise xmlrpclib.Fault(1, str(e))
+
+
+def ldap_search_escape(match):
+ """Escapes out nasty characters from the ldap search.
+ See RFC 2254."""
+ value = match.group()
+ if (len(value) != 1):
+ return ""
+
+ if value == "(":
+ return "\\28"
+ elif value == ")":
+ return "\\29"
+ elif value == "\\":
+ return "\\5c"
+ else:
+ return value
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2228 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070821/88bdd459/attachment.bin>
More information about the Freeipa-devel
mailing list