[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: escaping strings in DN

To: Erik Thiele <erik@thiele-hydraulik.de>
Subject: Re: escaping strings in DN
From: Peter Marschall <peter@adpm.de>
Date: Thu, 22 May 2003 16:08:39 +0200
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <20030522145009.7c9a8bf5.erik@thiele-hydraulik.de>
Organization: ADPM
References: <20030522075130.7f9b3ba0.erik@thiele-hydraulik.de> <3ECCC09E.9050104@stroeder.com> <20030522145009.7c9a8bf5.erik@thiele-hydraulik.de>
User-agent: KMail/1.5.1

Hi,

On Thursday 22 May 2003 14:50, Erik Thiele wrote:
> that's for sure. but i need a secure way to pass __anything__ into an
> ldap search filter.
>
> > In Python it looks like this (grabbed from python-ldap's CVS version):
> >
> > def escape_filter_chars(assertion_value):
> >    """
> >    Replace all special characters found in assertion_value
> >    by quoted notation
> >    """
> >    s = assertion_value.replace('\\', r'\5c')
> >    s = s.replace(r'*', r'\2a')
> >    s = s.replace(r'(', r'\28')
> >    s = s.replace(r')', r'\29')
> >    s = s.replace('\x00', r'\00')
> >    return s
> >
> are the rules in the above python escape code sufficient?
IMHO they are with respect to quoting for filters

Here's my Perl quoting code:
  sub quoteFilterValue($)
  {
  my $string = shift;
    $string =~ s/([\x00-\x1F\*\(\)\\])/"\\".unpack("H2",$1)/oge;
    return($string);
  }
It "backslash-hex-escapes" the ASCII control characters \x00 - \x1F
(most of them for the sake of legibility) and the characters with special
meaning in filters: "*",  "(",  ")" and  "\\"

Of course the value has to be correctly encoded according to the
syntax of the attribute you want the value to compare against:
* input for attributes with string syntax needs to be UTF8 encoded,
* input for DNs needs to be UTF8 encoded and the special DN
  characters DN-escaped,
* ...
This cannot be done in this escaping routine.

> for example if i search for some binary data like the content of
> a jpeg image? or aren't they, and the current python implementation
> is insecure? if so, please submit a bug report :-)

You can only search for attribute values that have the appropriate
matching rules. AFAIK there are no matching rules for binary attributes
such as jpegPhoto.(certificates are an exception, but their matching
rules apply to the content not on the binary value)

> please schedule adding a ldap_search_escapestring function.
> i will work with my own version, until the new function is available.
> until then, all LDAP libraries on top of your C-API will have their
> own escaping function. (like the python module)

A general quoting routine cannot be written since it needs to know the
syntax for each attribute.
The only thing that can sensibly be done is an equivalent to the 
Perl or Python routines from this correspondence.

Peter
-- 
Peter Marschall
eMail: peter@adpm.de

References:
- escaping strings in DN
  - From: Erik Thiele <erik@thiele-hydraulik.de>
- Re: escaping strings in DN
  - From: Michael Ströder <michael@stroeder.com>
- Re: escaping strings in DN
  - From: Erik Thiele <erik@thiele-hydraulik.de>

Prev by Date: Re: escaping strings in DN
Next by Date: Pureftpd +openldap
Index(es):
- Chronological
- Thread