You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Hendy Irawan (JIRA)" <ji...@apache.org> on 2012/11/02 10:43:12 UTC
[jira] [Created] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Hendy Irawan created DIRSHARED-143:
--------------------------------------
Summary: Provide helper method to escape characters to be used in LDAP Filter literal
Key: DIRSHARED-143
URL: https://issues.apache.org/jira/browse/DIRSHARED-143
Project: Directory Shared
Issue Type: Bug
Affects Versions: 1.0.0-M13
Reporter: Hendy Irawan
In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Hendy Irawan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489337#comment-13489337 ]
Hendy Irawan commented on DIRSHARED-143:
----------------------------------------
How to edit this as "Improvement"? can't find the button to do so :(
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Bug
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489352#comment-13489352 ]
Emmanuel Lecharny commented on DIRSHARED-143:
---------------------------------------------
I forgot to mention that if you do provide such a method, we will be more than please to add it to the API :)
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Hendy Irawan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489982#comment-13489982 ]
Hendy Irawan commented on DIRSHARED-143:
----------------------------------------
An implementation of Stefan's suggestion would be even more awesome :)
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489348#comment-13489348 ]
Emmanuel Lecharny commented on DIRSHARED-143:
---------------------------------------------
Made it an Improvement.
Can you be a bit more explicit ? An example could help here. Thanks !
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489980#comment-13489980 ]
Stefan Seelmann commented on DIRSHARED-143:
-------------------------------------------
I'd suggest something like "filter template and arguments" in JNDI (see http://docs.oracle.com/javase/jndi/tutorial/ldap/search/search.html, topic "Using String Filters with Arguments").
The idea is to define the filter template with placeholders and to escape the arguments (which are probably entered by user of an application) before replacing the placeholders. Special chars in the template string are preserved, but special chars in the arguments are escaped.
{code}
String filterTemplate = "(&(cn=*{0}*)(uid=*{1}*))";
String[] args = {"f**", "(bar)"};
String filter = LdapEncoder.format(filterTemplate, args);
// => (&(cn=*f\2a\2a*)(uid=*\28bar\29*))
{code}
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490082#comment-13490082 ]
Stefan Seelmann commented on DIRSHARED-143:
-------------------------------------------
Another option to create such a filter with escaped special characters is to use the classes from org.apache.directory.shared.ldap.model.filter package, for example:
{code}
AndNode andNode = new AndNode();
andNode.addNode( new EqualityNode<String>( "uid", new StringValue( "(*)" ) ) );
andNode.addNode( new SubstringNode( "cn", "H*n", null ) );
System.out.println(andNode.toString());
// =>(&(uid=\28\2A\29)(cn=H\2An*))
{code}
I see that it is not always intuitive to use those classes, I think they are not intended to be used by API users.
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann reassigned DIRSHARED-143:
-----------------------------------------
Assignee: Stefan Seelmann
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Assignee: Stefan Seelmann
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Hendy Irawan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489970#comment-13489970 ]
Hendy Irawan commented on DIRSHARED-143:
----------------------------------------
(cn=acm*) -> should we escape '*', and produce a (cn=acm\2a) filter ? What if the user intention was to match every cn starting with 'acm' ?
(&(cn=my)(cn\3Dtest)) -> should we escape the filter to (&cn=my\29\28cn\3Dtest\29) ?
The above is not how to use the methods. User does not input a filter string, it inputs values to match.
For example, usage in Java would be:
{code}
String filter = "(&(cn=*" + LdapEncoder.filterEncode(searchText) + "*)(uid=*" + LdapEncoder.filterEncode(searchText) + "*))";
{code}
searchText is provided by user input.
A JDBC/JPA-style query escaping would be even more awesome, but the simplest helper methods are already useful.
public static String escapeFilterValue(String value) would be cool, it's the same functionality as Spring LDAP's LdapEncoder.filterEncode(), is this correct ?
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann updated DIRSHARED-143:
--------------------------------------
Attachment: DIRSHARED-143.patch
Here is a patch, it contains my proposed format(String, String[]) method as well as an encodeFilterValue(String) method (that code is copied from AbstractExprNode).
I didn't commit because I'm unsure about the right place/module/package for the class. If committed we should also use the encodeFilterValue(String) from AbstractExprNode.escapeFilterValue() to avoid code duplication.
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann resolved DIRSHARED-143.
---------------------------------------
Resolution: Fixed
Fix Version/s: 1.0.0-M14
Fixed with http://svn.apache.org/viewvc?rev=1405534&view=rev
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Assignee: Stefan Seelmann
> Fix For: 1.0.0-M14
>
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489969#comment-13489969 ]
Emmanuel Lecharny commented on DIRSHARED-143:
---------------------------------------------
There is no simple solution. Consider those filters :
(cn=acm*) -> should we escape '*', and produce a (cn=acm\2a) filter ? What if the user intention was to match every cn starting with 'acm' ?
(&(cn=my)(cn\3Dtest)) -> should we escape the filter to (&cn=my\29\28cn\3Dtest\29) ?
Now, we do have a method that escape the 5 special chars, but it's protected and it works only on String value :
/**
* Handles the escaping of special characters in LDAP search filter assertion values using the
* <valueencoding> rule as described in
* <a href="http://www.ietf.org/rfc/rfc4515.txt">RFC 4515</a>. Needed so that
* {@link ExprNode#printToBuffer(StringBuffer)} results in a valid filter string that can be parsed
* again (as a way of cloning filters).
*
* @param value Right hand side of "attrId=value" assertion occurring in an LDAP search filter.
* @return Escaped version of <code>value</code>
*/
protected static Value<?> escapeFilterValue( Value<?> value )
We can add one that is a public method working on String, would it be enough ?
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Hendy Irawan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490207#comment-13490207 ]
Hendy Irawan commented on DIRSHARED-143:
----------------------------------------
Awesome! Thank you Stefan, Emmanuel! :)
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Assignee: Stefan Seelmann
> Fix For: 1.0.0-M14
>
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490110#comment-13490110 ]
Emmanuel Lecharny commented on DIRSHARED-143:
---------------------------------------------
I prefer the patch you provided. The Node methods are for internal use, and they are not user friendly.
Just commit the patch in o.a.d.shared.ldap.model.filter.
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
> Attachments: DIRSHARED-143.patch
>
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSHARED-143:
----------------------------------------
Issue Type: Improvement (was: Bug)
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSHARED-143) Provide helper method to escape
characters to be used in LDAP Filter literal
Posted by "Hendy Irawan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489369#comment-13489369 ]
Hendy Irawan commented on DIRSHARED-143:
----------------------------------------
LdapEncoder.filterEncode("sm*sh") => sm\2ash
There is Apache 2.0 Licensed implementation here : http://www.jarvana.com/jarvana/view/org/springframework/ldap/spring-ldap/1.3.0.RELEASE/spring-ldap-1.3.0.RELEASE-sources.jar!/org/springframework/ldap/core/LdapEncoder.java?format=ok
also with a few more useful encoding/decoding methods.
Is it okay to incorporate it from legal perspective?
I can make a patch that simply copies it verbatim, with a simple test. Just name the artifact/package/className.
Thank you.
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira