forked from DGNum/gestioCOF
Prevent ldap injections in autocompletion views
We only allow alphanumeric characters in the query in order to avoid injections
This commit is contained in:
parent
3acc8bca75
commit
741f0183e6
2 changed files with 36 additions and 32 deletions
|
@ -56,10 +56,12 @@ def autocomplete(request):
|
||||||
# Fetching data from the SPI
|
# Fetching data from the SPI
|
||||||
if hasattr(settings, 'LDAP_SERVER_URL'):
|
if hasattr(settings, 'LDAP_SERVER_URL'):
|
||||||
# Fetching
|
# Fetching
|
||||||
ldap_query = '(|{:s})'.format(''.join(
|
ldap_query = '(|{:s})'.format(''.join([
|
||||||
['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit})
|
'(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=bit)
|
||||||
for bit in bits]
|
for bit in bits if bit.isalnum()
|
||||||
))
|
]))
|
||||||
|
if ldap_query != "(|)":
|
||||||
|
# If none of the bits were legal, we do not perform the query
|
||||||
with Connection(settings.LDAP_SERVER_URL) as conn:
|
with Connection(settings.LDAP_SERVER_URL) as conn:
|
||||||
conn.search(
|
conn.search(
|
||||||
'dc=spi,dc=ens,dc=fr', ldap_query,
|
'dc=spi,dc=ens,dc=fr', ldap_query,
|
||||||
|
|
|
@ -75,10 +75,12 @@ def account_create(request):
|
||||||
# Fetching data from the SPI
|
# Fetching data from the SPI
|
||||||
if hasattr(settings, 'LDAP_SERVER_URL'):
|
if hasattr(settings, 'LDAP_SERVER_URL'):
|
||||||
# Fetching
|
# Fetching
|
||||||
ldap_query = '(|{:s})'.format(''.join(
|
ldap_query = '(|{:s})'.format(''.join([
|
||||||
['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
|
'(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
|
||||||
for word in search_words]
|
for word in search_words if word.isalnum()
|
||||||
))
|
]))
|
||||||
|
if ldap_query != "(|)":
|
||||||
|
# If none of the bits were legal, we do not perform the query
|
||||||
with Connection(settings.LDAP_SERVER_URL) as conn:
|
with Connection(settings.LDAP_SERVER_URL) as conn:
|
||||||
conn.search(
|
conn.search(
|
||||||
'dc=spi,dc=ens,dc=fr', ldap_query,
|
'dc=spi,dc=ens,dc=fr', ldap_query,
|
||||||
|
|
Loading…
Reference in a new issue