Escape DN in enabled query

Values in LDAP filter strings need to be escaped. The DN in the enabled query wasn't being escaped so it might cause an invalid query to be done. Closes-Bug: 1532345 Change-Id: Ia97297b5919351f4710ab39af6f3be9623a83976
2015-12-29 17:54:30 -06:00 · 2015-12-29 17:54:30 -06:00 · eeddfb8ffa
parent 0cb49925e4
commit eeddfb8ffa
2 changed files with 5 additions and 4 deletions
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@ -1826,7 +1826,8 @@ class EnabledEmuMixIn(BaseLdap):

    def _get_enabled(self, object_id, conn):
        dn = self._id_to_dn(object_id)
-        query = '(%s=%s)' % (self.member_attribute, dn)
+        query = '(%s=%s)' % (self.member_attribute,
+                             ldap.filter.escape_filter_chars(dn))
        try:
            enabled_value = conn.search_s(self.enabled_emulation_dn,
                                          ldap.SCOPE_BASE,
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@ -2253,17 +2253,17 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):

        # ) is a special char in a filter and must be escaped.
        sample_dn = 'cn=foo)bar'
+        # LDAP requires ) is escaped by being replaced with "\29"
+        sample_dn_filter_esc = r'cn=foo\29bar'

        # Override the tree_dn, it's used to build the enabled member filter
        mixin_impl.tree_dn = sample_dn

        # The filter that _get_enabled is going to build contains the
        # tree_dn, which better be escaped in this case.
-        # Note that the tree_dn isn't escaped and will lead to an invalid
-        # filter! See bug 1532345.
        exp_filter = '(%s=%s=%s,%s)' % (
            mixin_impl.member_attribute, mixin_impl.id_attr, object_id,
-            sample_dn)
+            sample_dn_filter_esc)

        with mixin_impl.get_connection() as conn:
            m = self.useFixture(mockpatch.PatchObject(conn, 'search_s')).mock