Added LDAP search filter cleansing mechanism to properly escape special characters (#1726)

2024-12-04 11:05:32 +00:00 · 2023-12-08 04:59:23 -05:00 · 2023-12-08 04:59:23 -05:00 · 3caded9b7f
commit 3caded9b7f
parent 66c262c57d 7b6aafbb2c
1 changed files with 12 additions and 0 deletions
--- a/powerdnsadmin/models/user.py
+++ b/powerdnsadmin/models/user.py
@ -133,9 +133,21 @@ class User(db.Model):
        conn.protocol_version = ldap.VERSION3
        return conn

+    def escape_filter_chars(self, filter_str):
+        """
+        Escape chars for ldap search
+        """
+        escape_chars = ['\\', '*', '(', ')', '\x00']
+        replace_chars = ['\\5c', '\\2a', '\\28', '\\29', '\\00']
+        for escape_char in escape_chars:
+            filter_str = filter_str.replace(escape_char, replace_chars[escape_chars.index(escape_char)])
+        return filter_str
+
    def ldap_search(self, searchFilter, baseDN, retrieveAttributes=None):
        searchScope = ldap.SCOPE_SUBTREE

+        searchFilter = self.escape_filter_chars(searchFilter)
+
        try:
            conn = self.ldap_init_conn()
            if Setting().get('ldap_type') == 'ad':