Escape values in LDAP search filters

LDAP search filter strings need to have special characters escaped in order to be valid. There were some places where filter strings were constructed where the value was not escaped. Change-Id: Ib7870bc92d3af9066bb15e863cac4abd06f00768 Related-Bug: #1302106
2014-04-13 19:10:14 -05:00 · 2014-04-13 19:10:14 -05:00 · f32e86f1f5
parent e170988123
commit f32e86f1f5
2 changed files with 11 additions and 3 deletions
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@ -16,6 +16,7 @@ from __future__ import absolute_import
 import uuid

 import ldap as ldap
+import ldap.filter

 from keystone import assignment
 from keystone import clean
@ -558,7 +559,8 @@ class RoleApi(common_ldap.BaseLdap):
        return res

    def list_global_roles_for_user(self, user_dn):
-        roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn))
+        user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
+        roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn_esc))
        return [UserRoleAssociation(
                role_dn=role.dn,
                user_dn=user_dn) for role in roles]
@ -604,8 +606,9 @@ class RoleApi(common_ldap.BaseLdap):

    def delete(self, role_id, tenant_dn):
        conn = self.get_connection()
+        role_id_esc = ldap.filter.escape_filter_chars(role_id)
        query = '(&(objectClass=%s)(%s=%s))' % (self.object_class,
-                                                self.id_attr, role_id)
+                                                self.id_attr, role_id_esc)
        try:
            # RFC 4511 (The LDAP Protocol) defines a list containing only the
            # OID "1.1" as indicating that no attributes should be returned.
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@ -937,8 +937,13 @@ class BaseLdap(object):
        conn = self.get_connection()
        query = u'(objectClass=%s)' % self.object_class
        if query_params:
+
+            def calc_filter(attrname, value):
+                val_esc = ldap.filter.escape_filter_chars(value)
+                return '(%s=%s)' % (attrname, val_esc)
+
            query = (u'(&%s%s)' %
-                     (query, ''.join(['(%s=%s)' % (k, v) for k, v in
+                     (query, ''.join([calc_filter(k, v) for k, v in
                                      six.iteritems(query_params)])))
        try:
            return conn.search_s(search_base, scope, query, attrlist)