Escape parameter values in search filter.

The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.

Ticket #96

1 files changed, 4 insertions, 3 deletions

diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
index 9b11a96d6..11898ef7a 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
@@ -29,6 +29,7 @@ import com.netscape.certsrv.request.RequestId;
 import com.netscape.cms.servlet.base.CMSResourceService;
 import com.netscape.cms.servlet.request.model.KeyRequestDAO;
 import com.netscape.cms.servlet.request.model.KeyRequestInfos;
+import com.netscape.cmsutil.ldap.LDAPUtil;
 
 /**
  * @author alee
@@ -77,17 +78,17 @@ public class KeyRequestsResourceService extends CMSResourceService implements Ke
         }
         
         if (requestState != null) {
-            filter += "(requeststate=" + requestState + ")";
+            filter += "(requeststate=" + LDAPUtil.escape(requestState) + ")";
             matches ++;
         }
         
         if (requestType != null) {
-            filter += "(requesttype=" + requestType + ")";
+            filter += "(requesttype=" + LDAPUtil.escape(requestType) + ")";
             matches ++;
         }
         
         if (clientID != null) {
-            filter += "(clientID=" + clientID + ")";
+            filter += "(clientID=" + LDAPUtil.escape(clientID) + ")";
             matches ++;
         }