Escape DN in enabled query

Values in LDAP filter strings need to be escaped. The DN in the enabled query wasn't being escaped so it might cause an invalid query to be done. Closes-Bug: 1532345 Change-Id: Ia97297b5919351f4710ab39af6f3be9623a83976 (cherry picked from commit eeddfb8ffa)
2015-12-29 17:54:30 -06:00 · 2015-12-29 17:54:30 -06:00 · 1f37f71088
parent 690191d21d
commit 1f37f71088
2 changed files with 5 additions and 4 deletions
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@ -1823,7 +1823,8 @@ class EnabledEmuMixIn(BaseLdap):

    def _get_enabled(self, object_id, conn):
        dn = self._id_to_dn(object_id)
-        query = '(%s=%s)' % (self.member_attribute, dn)
+        query = '(%s=%s)' % (self.member_attribute,
+                             ldap.filter.escape_filter_chars(dn))
        try:
            enabled_value = conn.search_s(self.enabled_emulation_dn,
                                          ldap.SCOPE_BASE,
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@ -2297,17 +2297,17 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):

        # ) is a special char in a filter and must be escaped.
        sample_dn = 'cn=foo)bar'
+        # LDAP requires ) is escaped by being replaced with "\29"
+        sample_dn_filter_esc = r'cn=foo\29bar'

        # Override the tree_dn, it's used to build the enabled member filter
        mixin_impl.tree_dn = sample_dn

        # The filter that _get_enabled is going to build contains the
        # tree_dn, which better be escaped in this case.
-        # Note that the tree_dn isn't escaped and will lead to an invalid
-        # filter! See bug 1532345.
        exp_filter = '(%s=%s=%s,%s)' % (
            mixin_impl.member_attribute, mixin_impl.id_attr, object_id,
-            sample_dn)
+            sample_dn_filter_esc)

        with mixin_impl.get_connection() as conn:
            m = self.useFixture(mockpatch.PatchObject(conn, 'search_s')).mock