Prevent ldap injections in autocompletion views

We only allow alphanumeric characters in the query in order to avoid injections
2017-03-16 22:43:43 +00:00 · 2017-03-16 22:43:43 +00:00 · 741f0183e6
commit 741f0183e6
parent 3acc8bca75
2 changed files with 36 additions and 32 deletions
--- a/gestioncof/autocomplete.py
+++ b/gestioncof/autocomplete.py
@ -56,22 +56,24 @@ def autocomplete(request):
    # Fetching data from the SPI
    if hasattr(settings, 'LDAP_SERVER_URL'):
        # Fetching
-        ldap_query = '(|{:s})'.format(''.join(
+        ldap_query = '(|{:s})'.format(''.join([
-            ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit})
+            '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=bit)
-             for bit in bits]
+            for bit in bits if bit.isalnum()
-        ))
+        ]))
-        with Connection(settings.LDAP_SERVER_URL) as conn:
+        if ldap_query != "(|)":
-            conn.search(
+            # If none of the bits were legal, we do not perform the query
-                'dc=spi,dc=ens,dc=fr', ldap_query,
+            with Connection(settings.LDAP_SERVER_URL) as conn:
-                attributes=['uid', 'cn']
+                conn.search(
-            )
+                    'dc=spi,dc=ens,dc=fr', ldap_query,
-            queries['clippers'] = conn.entries
+                    attributes=['uid', 'cn']
-        # Clearing redundancies
+                )
-        queries['clippers'] = [
+                queries['clippers'] = conn.entries
-            Clipper(clipper.uid, clipper.cn)
+            # Clearing redundancies
-            for clipper in queries['clippers']
+            queries['clippers'] = [
-            if str(clipper.uid) not in usernames
+                Clipper(clipper.uid, clipper.cn)
-        ]
+                for clipper in queries['clippers']
                if str(clipper.uid) not in usernames
            ]
    # Resulting data
    data.update(queries)
--- a/kfet/autocomplete.py
+++ b/kfet/autocomplete.py
@ -75,22 +75,24 @@ def account_create(request):
    # Fetching data from the SPI
    if hasattr(settings, 'LDAP_SERVER_URL'):
        # Fetching
-        ldap_query = '(|{:s})'.format(''.join(
+        ldap_query = '(|{:s})'.format(''.join([
-            ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
+            '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
-             for word in search_words]
+            for word in search_words if word.isalnum()
-        ))
+        ]))
-        with Connection(settings.LDAP_SERVER_URL) as conn:
+        if ldap_query != "(|)":
-            conn.search(
+            # If none of the bits were legal, we do not perform the query
-                'dc=spi,dc=ens,dc=fr', ldap_query,
+            with Connection(settings.LDAP_SERVER_URL) as conn:
-                attributes=['uid', 'cn']
+                conn.search(
-            )
+                    'dc=spi,dc=ens,dc=fr', ldap_query,
-            queries['clippers'] = conn.entries
+                    attributes=['uid', 'cn']
-        # Clearing redundancies
+                )
-        queries['clippers'] = [
+                queries['clippers'] = conn.entries
-            Clipper(clipper.uid, clipper.cn)
+            # Clearing redundancies
-            for clipper in queries['clippers']
+            queries['clippers'] = [
-            if str(clipper.uid) not in usernames
+                Clipper(clipper.uid, clipper.cn)
-        ]
+                for clipper in queries['clippers']
                if str(clipper.uid) not in usernames
            ]
    # Resulting data
    data.update(queries)