[python-ldap] function for escaping/validation of attribute name
John Dennis
jdennis at redhat.com
Tue Dec 16 15:42:34 CET 2014
On 12/16/2014 08:03 AM, Space One wrote:
> Hello,
>
> Currently there is no function to properly escape or validate attribute
> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap
> filter and ldap search string injections.
>
> ######## code snippet #############
> import ldap
> import ldap.filter
>
> lo = ldap.initialize(uri)
> lo.simple_bind_s(binddn, bindpw)
>
> user_input = 'MyAttributeInput|*&'
> filter = ldap.filter.filter_format('%s=%s', [user_input, '*'])
>
> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter)
> ###############################
> → raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'}
>
> How can I protect against user search string injections?
> My current attempt is to strip out everything which does not fulfill the
> python-regex r'^[\w\d\-;]+$'.
> I am not sure if this is valid, it protects for the first time. Related
> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt
>
> There seems not to be a function in python-ldap which covers this use case.
ldap.filter.escape_filter_chars()
http://www.python-ldap.org/doc/html/ldap-filter.html
--
John
More information about the python-ldap
mailing list