escaping search string for ldap

2015-07-15 21:28:54 +02:00 · 2015-07-15 21:28:54 +02:00 · 64b9573634
parent 3a6da2e480
commit 64b9573634
1 changed files with 5 additions and 0 deletions
--- a/ldapcherry/backend/backendLdap.py
+++ b/ldapcherry/backend/backendLdap.py
@ -8,6 +8,7 @@
 import cherrypy
 import ldap
 import ldap.modlist as modlist
+import ldap.filter
 import logging
 import ldapcherry.backend
 from ldapcherry.exceptions import UserDoesntExist, GroupDoesntExist
@ -213,6 +214,7 @@ class Backend(ldapcherry.backend.Backend):

    def _get_user(self, username, attrs=ALL_ATTRS):

+        username = ldap.filter.escape_filter_chars(username)
        user_filter = self.user_filter_tmpl % {
            'username': username
        }
@ -378,6 +380,7 @@ class Backend(ldapcherry.backend.Backend):
    def search(self, searchstring):
        ret = {}

+        searchstring = ldap.filter.escape_filter_chars(searchstring)
        searchfilter = self.search_filter_tmpl % {
            'searchstring': searchstring
        }
@ -410,6 +413,8 @@ class Backend(ldapcherry.backend.Backend):
        return ret

    def get_groups(self, username):
+
+        username = ldap.filter.escape_filter_chars(username)
        userdn = self._get_user(username, NO_ATTR)

        searchfilter = self.group_filter_tmpl % {