SEC-837: Add special character filtering to LDAP search filterscore/src/test/java/org/springframework/security/ldap

2008-05-20 19:22:49 +00:00 · 2008-05-20 19:22:49 +00:00 · 3fb1f59fde
parent 219d2e8962
commit 3fb1f59fde
2 changed files with 22 additions and 3 deletions
--- a/core/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java
+++ b/core/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java
@ -22,6 +22,7 @@ import org.springframework.ldap.core.ContextSource;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.ldap.core.DistinguishedName;
+import org.springframework.ldap.core.LdapEncoder;
 import org.springframework.util.Assert;

 import org.apache.commons.logging.Log;
@ -135,9 +136,16 @@ public class SpringSecurityLdapTemplate extends org.springframework.ldap.core.Ld
     * @return the set of String values for the attribute as a union of the values found in all the matching entries.
     */
    public Set searchForSingleAttributeValues(final String base, final String filter, final Object[] params,
-        final String attributeName) {
-
-        String formattedFilter = MessageFormat.format(filter, params);
+    		final String attributeName) {
+    	// Escape the params acording to RFC2254
+    	Object[] encodedParams = new String[params.length];
+    	
+    	for (int i=0; i < params.length; i++) {
+    		encodedParams[i] = LdapEncoder.filterEncode(params[i].toString());  
+    	}
+    	
+        String formattedFilter = MessageFormat.format(filter, encodedParams);
+        logger.debug("Using filter: " + formattedFilter);

        final HashSet set = new HashSet();

--- a/core/src/test/resources/test-server.ldif
+++ b/core/src/test/resources/test-server.ldif
@ -48,6 +48,16 @@ sn: Smeth
 uid: joe
 userPassword: joespassword

+dn: cn=mouse\, jerry,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Mouse, Jerry
+sn: Mouse
+uid: jerry
+userPassword: jerryspassword
+
 dn: cn=developers,ou=groups,dc=springframework,dc=org
 objectclass: top
 objectclass: groupOfNames
@ -62,6 +72,7 @@ objectclass: groupOfNames
 cn: managers
 ou: manager
 member: uid=ben,ou=people,dc=springframework,dc=org
+member: cn=mouse\, jerry,ou=people,dc=springframework,dc=org

 dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org
 objectclass: top