[Freeipa-devel] [PATCH] 21 Escape LDAP characters in member and memberof searches
Rob Crittenden
rcritten at redhat.com
Wed Mar 30 22:03:18 UTC 2011
JR Aquino wrote:
> On Mar 30, 2011, at 1:01 PM, Stephen Gallagher wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 03/30/2011 03:53 PM, JR Aquino wrote:
>>>
>>> On Mar 30, 2011, at 12:05 PM, JR Aquino wrote:
>>>
>>>> The FreeIPA framework performs unescaped searches to enumerate group membership.
>>>>
>>>> The following patch corrects this behavior.
>>>>
>>>> -JR
>>>>
>>>> <freeipa-jraquino-0021-Escape-LDAP-characters-in-member-and-memberof-search.patch>_______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>> Self NACK
>>>
>>> Attached is the corrected patch.
>>>
>>> search_group_dn = _ldap_filter.escape_filter_chars(search_group_dn)
>>>
>>> Is now correctly changed to:
>>>
>>> search_group_dn = _ldap_filter.escape_filter_chars(group_dn)
>>>
>>
>> Nack. This is a step in the right direction, but you're not actually
>> using this value anywhere.
>>
>> I think you wanted to have the next line changed to:
>>
>> searchfilter = "(memberof=%s)" % search_group_dn
>>
>> - --
>> Stephen Gallagher
>> RHCE 804006346421761
>
> Oh! You are right.
>
> Attached is the corrected patch.
I don't think you need a new variable for search_group_dn. The value is
passed in from a tuple so any changes will be silently lost anyway.
Or you can leave it, I think it's probably safer this way (since we
can't predict how it will be called in the future), but you should then
do the same in get_memberof().
rob
More information about the Freeipa-devel
mailing list