[python-ldap] function for escaping/validation of attribute name

John Dennis jdennis at redhat.com
Tue Dec 16 17:12:49 CET 2014 

On 12/16/2014 09:46 AM, Space One wrote:
> Hello John,
> 
> yes, I am aware of this function but the function works only for the
> ldap filter value and not for the attribute name. Internally
> ldap.filter.filter_format() uses already ldap.filter.escape_filter_chars().
> If will still receive a FILTER_ERROR when using e.g. '%s=%s' %
> (ldap.filter.escape_filter_chars(attributename), '*').

Sorry, I missed the fact you were trying to escape the attribute type
(i.e. the name of the attribute). To the best of my knowledge there is
no such concept. Either the attribute type is legal or it's not. The RFC
you pointed specifies the legal string format. You need to write a
regular expression that validates that format and if the user input does
not match you need to raise an error.

Off the top of my head I think it would look like this (not tested):

attr_type_re = re.compile(r'^[a-z][a-z0-9;-]*$', re.IGNORECASE)

if attr_type_re.search(user_input) is None:
    raise ValueError("Invalid LDAP attribute name: %s" % user_input)

It's also legal to specify an attribute type using an OID which is a
sequence of non-negative integers separated by a dot. I'll leave the
construction of that regular expression as an exercise should you wish
to also allow the use of OID's.

> Am 16.12.2014 um 15:42 schrieb John Dennis:
>> On 12/16/2014 08:03 AM, Space One wrote:
>>> Hello,
>>>
>>> Currently there is no function to properly escape or validate attribute
>>> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap
>>> filter and ldap search string injections.
>>>
>>> ######## code snippet #############
>>> import ldap
>>> import ldap.filter
>>>
>>> lo = ldap.initialize(uri)
>>> lo.simple_bind_s(binddn, bindpw)
>>>
>>> user_input = 'MyAttributeInput|*&'
>>> filter = ldap.filter.filter_format('%s=%s', [user_input, '*'])
>>>
>>> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter)
>>> ###############################
>>> → raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'}
>>>
>>> How can I protect against user search string injections?
>>> My current attempt is to strip out everything which does not fulfill the
>>> python-regex r'^[\w\d\-;]+$'.
>>> I am not sure if this is valid, it protects for the first time. Related
>>> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt
>>>
>>> There seems not to be a function in python-ldap which covers this use case.
>> ldap.filter.escape_filter_chars()
>>
>> http://www.python-ldap.org/doc/html/ldap-filter.html
>>
>>
> 


-- 
John

More information about the python-ldap mailing list