From 463d7d2fe8553e51b51361cc607487c5750a350d Mon Sep 17 00:00:00 2001
From: Jr Aquino <jr.aquino@citrix.com>
Date: Wed, 30 Mar 2011 15:14:57 -0700
Subject: Escape LDAP characters in member and memberof searches

https://fedorahosted.org/freeipa/ticket/1140
---
 ipaserver/plugins/ldap2.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index ebbca60e5..13950d9a0 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -913,7 +913,8 @@ class ldap2(CrudBackend, Encoder):
         if membertype not in [MEMBERS_ALL, MEMBERS_DIRECT, MEMBERS_INDIRECT]:
             return None
 
-        searchfilter = "(memberof=%s)" % group_dn
+        search_group_dn = _ldap_filter.escape_filter_chars(group_dn)
+        searchfilter = "(memberof=%s)" % search_group_dn
 
         attr_list.append("member")
 
@@ -975,9 +976,10 @@ class ldap2(CrudBackend, Encoder):
         if len(memberof) == 0:
             return ([], [])
 
+        search_entry_dn = _ldap_filter.escape_filter_chars(entry_dn)
         attr_list = ["dn", "memberof"]
         searchfilter = "(|(member=%s)(memberhost=%s)(memberuser=%s))" % (
-            entry_dn, entry_dn, entry_dn)
+            search_entry_dn, search_entry_dn, search_entry_dn)
 
         # We have to do three searches because netgroups and pbac are not
         # within the accounts container.
-- 
cgit