[python-ldap] function for escaping/validation of attribute name
Michael Ströder
michael at stroeder.com
Tue Dec 16 19:51:48 CET 2014
Space One wrote:
> filter = ldap.filter.filter_format('%s=%s', [user_input, '*'])
You're misusing this functions.
1. ldap.filter.escape_filter_chars() was never meant to escape anything else
than the AttributeValueAssertion defined in RFC 4515, especially since there
are several modes of escaping. At least escape_mode=2 would certainly break
AttributeDescription (see RFC 4515).
Examples:
>>> ldap.filter.escape_filter_chars('foo',escape_mode=0)
'foo'
>>> ldap.filter.escape_filter_chars('foo',escape_mode=1)
'foo'
>>> ldap.filter.escape_filter_chars('foo',escape_mode=2)
>>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=0)
'foo-bar;binary'
>>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=1)
'foo\\2dbar;binary'
>>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=2)
'\\66\\6f\\6f\\2d\\62\\61\\72\\3b\\62\\69\\6e\\61\\72\\79'
2. Nevertheless ldap.filter.filter_format() (currently always using
escape_mode=0) does exactly what you're telling it to do, it correctly escapes
the '*':
>>> ldap.filter.filter_format('(%s=%s)', ['foo', '*'])
'(foo=\\2a)'
If you'd like to construct a filter like '(foo=*)' you would have to use:
>>> ldap.filter.filter_format('(%s=*)', ['foo'])
'(foo=*)'
3. You should always have decent input validation anyway. Read the RFCs what's
valid where.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20141216/fcef4949/attachment.bin>
More information about the python-ldap
mailing list