From 84a9611cb885f04c72cd657c3a3e7bc4aff39d93 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Jan 24 2017 10:50:07 +0000 Subject: ipaldap: properly escape raw binary values in LDAP filters Manually escape each byte in the value, do not use ldap.filter.escape_filter_chars() as it does not work with bytes in Python 3. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti Reviewed-By: Christian Heimes --- diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index daee068..3ee40bf 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -19,6 +19,7 @@ # along with this program. If not, see . # +import binascii import time import datetime from decimal import Decimal @@ -1245,11 +1246,13 @@ class LDAPClient(object): return cls.combine_filters(flts, rules) elif value is not None: if isinstance(value, bytes): - if six.PY3: - value = value.decode('raw_unicode_escape') + value = binascii.hexlify(value).decode('ascii') + # value[-2:0] is empty string for the initial '\\' + value = u'\\'.join( + value[i:i+2] for i in six.moves.range(-2, len(value), 2)) else: value = value_to_utf8(value) - value = ldap.filter.escape_filter_chars(value) + value = ldap.filter.escape_filter_chars(value) if not exact: template = '%s' if leading_wildcard: