[python-ldap] function for escaping/validation of attribute name

SpaceOne space at wechall.net
Thu Dec 18 22:12:07 CET 2014


Hello John,

thanks a lot, your answer is exactly what I was searching for!

Hello Michael,

Thanks, I understood your point. The solution from John helped me.

Best regards
Space One

Am 16.12.2014 17:12, schrieb John Dennis:
> On 12/16/2014 09:46 AM, Space One wrote:
>> Hello John,
>>
>> yes, I am aware of this function but the function works only for the
>> ldap filter value and not for the attribute name. Internally
>> ldap.filter.filter_format() uses already ldap.filter.escape_filter_chars().
>> If will still receive a FILTER_ERROR when using e.g. '%s=%s' %
>> (ldap.filter.escape_filter_chars(attributename), '*').
> Sorry, I missed the fact you were trying to escape the attribute type
> (i.e. the name of the attribute). To the best of my knowledge there is
> no such concept. Either the attribute type is legal or it's not. The RFC
> you pointed specifies the legal string format. You need to write a
> regular expression that validates that format and if the user input does
> not match you need to raise an error.
>
> Off the top of my head I think it would look like this (not tested):
>
> attr_type_re = re.compile(r'^[a-z][a-z0-9;-]*$', re.IGNORECASE)
>
> if attr_type_re.search(user_input) is None:
>     raise ValueError("Invalid LDAP attribute name: %s" % user_input)
>
> It's also legal to specify an attribute type using an OID which is a
> sequence of non-negative integers separated by a dot. I'll leave the
> construction of that regular expression as an exercise should you wish
> to also allow the use of OID's.
>
>> Am 16.12.2014 um 15:42 schrieb John Dennis:
>>> On 12/16/2014 08:03 AM, Space One wrote:
>>>> Hello,
>>>>
>>>> Currently there is no function to properly escape or validate attribute
>>>> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap
>>>> filter and ldap search string injections.
>>>>
>>>> ######## code snippet #############
>>>> import ldap
>>>> import ldap.filter
>>>>
>>>> lo = ldap.initialize(uri)
>>>> lo.simple_bind_s(binddn, bindpw)
>>>>
>>>> user_input = 'MyAttributeInput|*&'
>>>> filter = ldap.filter.filter_format('%s=%s', [user_input, '*'])
>>>>
>>>> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter)
>>>> ###############################
>>>> → raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'}
>>>>
>>>> How can I protect against user search string injections?
>>>> My current attempt is to strip out everything which does not fulfill the
>>>> python-regex r'^[\w\d\-;]+$'.
>>>> I am not sure if this is valid, it protects for the first time. Related
>>>> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt
>>>>
>>>> There seems not to be a function in python-ldap which covers this use case.
>>> ldap.filter.escape_filter_chars()
>>>
>>> http://www.python-ldap.org/doc/html/ldap-filter.html
>>>
>>>
>



More information about the python-ldap mailing list