diff options
author | Kevin McCarthy <kmccarth@redhat.com> | 2007-10-05 15:25:58 -0700 |
---|---|---|
committer | Kevin McCarthy <kmccarth@redhat.com> | 2007-10-05 15:25:58 -0700 |
commit | b73f82565748161ce2b0f344f87bfbcc72f1f2ad (patch) | |
tree | 72a3668ea2f474fbc01a827456d354ed536dc8c7 | |
parent | 1be00394e391c0b30b5efb51dff56815159812c9 (diff) | |
download | freeipa-b73f82565748161ce2b0f344f87bfbcc72f1f2ad.tar.gz freeipa-b73f82565748161ce2b0f344f87bfbcc72f1f2ad.tar.xz freeipa-b73f82565748161ce2b0f344f87bfbcc72f1f2ad.zip |
Several escaping fixes:
- illegal dn characters need to be escaped
- null characters in search filters
- dynamicedit.js was double html escaping (the python layer does it already)
-rw-r--r-- | ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js | 6 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 9 |
2 files changed, 10 insertions, 5 deletions
diff --git a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js index 1cb38f28..5d157cb8 100644 --- a/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js +++ b/ipa-server/ipa-gui/ipagui/static/javascript/dynamicedit.js @@ -71,12 +71,12 @@ var dn_to_member_div_id = new Hash(); function renderMemberInfo(newdiv, info) { if (info.type == "user") { newdiv.appendChild(document.createTextNode( - info.name.escapeHTML() + " " + info.descr.escapeHTML() + " ")); + info.name + " " + info.descr + " ")); } else if (info.type == "group") { ital = document.createElement('i'); ital.appendChild(document.createTextNode( - info.name.escapeHTML() + " " + - info.descr.escapeHTML() + " ")); + info.name + " " + + info.descr + " ")); newdiv.appendChild(ital); } } diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 8a6bbf91..52c38240 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -22,6 +22,7 @@ sys.path.append("/usr/share/ipa") import krbV import ldap +import ldap.dn import ipaserver.dsinstance import ipaserver.ipaldap import ipa.ipautil @@ -385,7 +386,8 @@ class IPAServer: if self.__is_user_unique(user['uid'], opts) == 0: raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) - dn="uid=%s,%s,%s" % (user['uid'], user_container,self.basedn) + dn="uid=%s,%s,%s" % (ldap.dn.escape_dn_chars(user['uid']), + user_container,self.basedn) entry = ipaserver.ipaldap.Entry(dn) # FIXME: This should be dynamic and can include just about anything @@ -688,7 +690,8 @@ class IPAServer: if self.__is_group_unique(group['cn'], opts) == 0: raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) - dn="cn=%s,%s,%s" % (group['cn'], group_container,self.basedn) + dn="cn=%s,%s,%s" % (ldap.dn.escape_dn_chars(group['cn']), + group_container,self.basedn) entry = ipaserver.ipaldap.Entry(dn) # some required objectclasses @@ -1055,5 +1058,7 @@ def ldap_search_escape(match): elif value == "*": # drop '*' from input. search performs its own wildcarding return "" + elif value =='\x00': + return r'\00' else: return value |