directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSHARED-143) Provide helper method to escape characters to be used in LDAP Filter literal
Date Sat, 03 Nov 2012 08:40:12 GMT

    [ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489969#comment-13489969
] 

Emmanuel Lecharny commented on DIRSHARED-143:
---------------------------------------------

There is no simple solution. Consider those filters :

(cn=acm*) -> should we escape '*', and produce a (cn=acm\2a) filter ? What if the user
intention was to match every cn starting with 'acm' ?

(&(cn=my)(cn\3Dtest)) -> should we  escape the filter to (&cn=my\29\28cn\3Dtest\29)
?

Now, we do have a method that escape the 5 special chars, but it's protected and it works
only on String value :

    /**
     * Handles the escaping of special characters in LDAP search filter assertion values using
the
     * &lt;valueencoding&gt; rule as described in
     * <a href="http://www.ietf.org/rfc/rfc4515.txt">RFC 4515</a>. Needed so that
     * {@link ExprNode#printToBuffer(StringBuffer)} results in a valid filter string that
can be parsed
     * again (as a way of cloning filters).
     *
     * @param value Right hand side of "attrId=value" assertion occurring in an LDAP search
filter.
     * @return Escaped version of <code>value</code>
     */
    protected static Value<?> escapeFilterValue( Value<?> value )

We can add one that is a public method working on String, would it be enough ?
                
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
>                 Key: DIRSHARED-143
>                 URL: https://issues.apache.org/jira/browse/DIRSHARED-143
>             Project: Directory Shared
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-M13
>            Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted
characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message