From 64b957363435f3b2edef24af766cc54f931f3bbd Mon Sep 17 00:00:00 2001
From: kakwa <carpentier.pf@gmail.com>
Date: Wed, 15 Jul 2015 21:28:54 +0200
Subject: [PATCH] escaping search string for ldap

---
 ldapcherry/backend/backendLdap.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ldapcherry/backend/backendLdap.py b/ldapcherry/backend/backendLdap.py
index 94db2e5..e838ec6 100644
--- a/ldapcherry/backend/backendLdap.py
+++ b/ldapcherry/backend/backendLdap.py
@@ -8,6 +8,7 @@
 import cherrypy
 import ldap
 import ldap.modlist as modlist
+import ldap.filter
 import logging
 import ldapcherry.backend
 from ldapcherry.exceptions import UserDoesntExist, GroupDoesntExist
@@ -213,6 +214,7 @@ class Backend(ldapcherry.backend.Backend):
 
     def _get_user(self, username, attrs=ALL_ATTRS):
 
+        username = ldap.filter.escape_filter_chars(username)
         user_filter = self.user_filter_tmpl % {
             'username': username
         }
@@ -378,6 +380,7 @@ class Backend(ldapcherry.backend.Backend):
     def search(self, searchstring):
         ret = {}
 
+        searchstring = ldap.filter.escape_filter_chars(searchstring)
         searchfilter = self.search_filter_tmpl % {
             'searchstring': searchstring
         }
@@ -410,6 +413,8 @@ class Backend(ldapcherry.backend.Backend):
         return ret
 
     def get_groups(self, username):
+
+        username = ldap.filter.escape_filter_chars(username)
         userdn = self._get_user(username, NO_ATTR)
 
         searchfilter = self.group_filter_tmpl % {