[python-ldap] function for escaping/validation of attribute name
Space One
space at wechall.net
Tue Dec 16 14:03:26 CET 2014
Hello,
Currently there is no function to properly escape or validate attribute
names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap
filter and ldap search string injections.
######## code snippet #############
import ldap
import ldap.filter
lo = ldap.initialize(uri)
lo.simple_bind_s(binddn, bindpw)
user_input = 'MyAttributeInput|*&'
filter = ldap.filter.filter_format('%s=%s', [user_input, '*'])
lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter)
###############################
→ raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'}
How can I protect against user search string injections?
My current attempt is to strip out everything which does not fulfill the
python-regex r'^[\w\d\-;]+$'.
I am not sure if this is valid, it protects for the first time. Related
to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt
There seems not to be a function in python-ldap which covers this use case.
best regards
Space
More information about the python-ldap
mailing list