Escape values in LDAP search filters
LDAP search filter strings need to have special characters escaped in order to be valid. There were some places where filter strings were constructed where the value was not escaped. Change-Id: Ib7870bc92d3af9066bb15e863cac4abd06f00768 Related-Bug: #1302106
This commit is contained in:
parent
e170988123
commit
f32e86f1f5
|
@ -16,6 +16,7 @@ from __future__ import absolute_import
|
|||
import uuid
|
||||
|
||||
import ldap as ldap
|
||||
import ldap.filter
|
||||
|
||||
from keystone import assignment
|
||||
from keystone import clean
|
||||
|
@ -558,7 +559,8 @@ class RoleApi(common_ldap.BaseLdap):
|
|||
return res
|
||||
|
||||
def list_global_roles_for_user(self, user_dn):
|
||||
roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn))
|
||||
user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
|
||||
roles = self.get_all('(%s=%s)' % (self.member_attribute, user_dn_esc))
|
||||
return [UserRoleAssociation(
|
||||
role_dn=role.dn,
|
||||
user_dn=user_dn) for role in roles]
|
||||
|
@ -604,8 +606,9 @@ class RoleApi(common_ldap.BaseLdap):
|
|||
|
||||
def delete(self, role_id, tenant_dn):
|
||||
conn = self.get_connection()
|
||||
role_id_esc = ldap.filter.escape_filter_chars(role_id)
|
||||
query = '(&(objectClass=%s)(%s=%s))' % (self.object_class,
|
||||
self.id_attr, role_id)
|
||||
self.id_attr, role_id_esc)
|
||||
try:
|
||||
# RFC 4511 (The LDAP Protocol) defines a list containing only the
|
||||
# OID "1.1" as indicating that no attributes should be returned.
|
||||
|
|
|
@ -937,8 +937,13 @@ class BaseLdap(object):
|
|||
conn = self.get_connection()
|
||||
query = u'(objectClass=%s)' % self.object_class
|
||||
if query_params:
|
||||
|
||||
def calc_filter(attrname, value):
|
||||
val_esc = ldap.filter.escape_filter_chars(value)
|
||||
return '(%s=%s)' % (attrname, val_esc)
|
||||
|
||||
query = (u'(&%s%s)' %
|
||||
(query, ''.join(['(%s=%s)' % (k, v) for k, v in
|
||||
(query, ''.join([calc_filter(k, v) for k, v in
|
||||
six.iteritems(query_params)])))
|
||||
try:
|
||||
return conn.search_s(search_base, scope, query, attrlist)
|
||||
|
|
Loading…
Reference in New Issue