Added LDAP search filter cleansing mechanism to properly escape special characters (#1726)

This commit is contained in:
Matt Scott 2023-12-08 04:59:23 -05:00 committed by GitHub
commit 3caded9b7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -133,9 +133,21 @@ class User(db.Model):
conn.protocol_version = ldap.VERSION3 conn.protocol_version = ldap.VERSION3
return conn return conn
def escape_filter_chars(self, filter_str):
"""
Escape chars for ldap search
"""
escape_chars = ['\\', '*', '(', ')', '\x00']
replace_chars = ['\\5c', '\\2a', '\\28', '\\29', '\\00']
for escape_char in escape_chars:
filter_str = filter_str.replace(escape_char, replace_chars[escape_chars.index(escape_char)])
return filter_str
def ldap_search(self, searchFilter, baseDN, retrieveAttributes=None): def ldap_search(self, searchFilter, baseDN, retrieveAttributes=None):
searchScope = ldap.SCOPE_SUBTREE searchScope = ldap.SCOPE_SUBTREE
searchFilter = self.escape_filter_chars(searchFilter)
try: try:
conn = self.ldap_init_conn() conn = self.ldap_init_conn()
if Setting().get('ldap_type') == 'ad': if Setting().get('ldap_type') == 'ad':