Prevent ldap injections in autocompletion views

We only allow alphanumeric characters in the query in order to avoid
injections
This commit is contained in:
Martin Pépin 2017-03-16 22:43:43 +00:00
parent 3acc8bca75
commit 741f0183e6
2 changed files with 36 additions and 32 deletions

View file

@ -56,10 +56,12 @@ def autocomplete(request):
# Fetching data from the SPI # Fetching data from the SPI
if hasattr(settings, 'LDAP_SERVER_URL'): if hasattr(settings, 'LDAP_SERVER_URL'):
# Fetching # Fetching
ldap_query = '(|{:s})'.format(''.join( ldap_query = '(|{:s})'.format(''.join([
['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit}) '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=bit)
for bit in bits] for bit in bits if bit.isalnum()
)) ]))
if ldap_query != "(|)":
# If none of the bits were legal, we do not perform the query
with Connection(settings.LDAP_SERVER_URL) as conn: with Connection(settings.LDAP_SERVER_URL) as conn:
conn.search( conn.search(
'dc=spi,dc=ens,dc=fr', ldap_query, 'dc=spi,dc=ens,dc=fr', ldap_query,

View file

@ -75,10 +75,12 @@ def account_create(request):
# Fetching data from the SPI # Fetching data from the SPI
if hasattr(settings, 'LDAP_SERVER_URL'): if hasattr(settings, 'LDAP_SERVER_URL'):
# Fetching # Fetching
ldap_query = '(|{:s})'.format(''.join( ldap_query = '(|{:s})'.format(''.join([
['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word) '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
for word in search_words] for word in search_words if word.isalnum()
)) ]))
if ldap_query != "(|)":
# If none of the bits were legal, we do not perform the query
with Connection(settings.LDAP_SERVER_URL) as conn: with Connection(settings.LDAP_SERVER_URL) as conn:
conn.search( conn.search(
'dc=spi,dc=ens,dc=fr', ldap_query, 'dc=spi,dc=ens,dc=fr', ldap_query,