projects / matthijs / upstream / django-ldapdb.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
improve LDAP filter escaping
[matthijs/upstream/django-ldapdb.git] / ldapdb / models / query.py
diff --git a/ldapdb/models/query.py b/ldapdb/models/query.py
index f430286b65be5d14531e46a86b540eaa3a851ab6..877ea9e40ee74c0b323361e39ca2ea893ba79f4f 100644 (file)
--- a/ldapdb/models/query.py
+++ b/ldapdb/models/query.py
@@ -21,7 +21,6 @@
 from copy import deepcopy
 import ldap
 
-from django.db.models.fields import Field
 from django.db.models.query import QuerySet as BaseQuerySet
 from django.db.models.query_utils import Q
 from django.db.models.sql import Query as BaseQuery
@@ -29,6 +28,14 @@ from django.db.models.sql.where import WhereNode as BaseWhereNode, Constraint as
 
 import ldapdb
 
+def escape_ldap_filter(value):
+    value = str(value)
+    return value.replace('\\', '\\5c') \
+                .replace('*', '\\2a') \
+                .replace('(', '\\28') \
+                .replace(')', '\\29') \
+                .replace('\0', '\\00')
+
 class Constraint(BaseConstraint):
     """
     An object that can be passed to WhereNode.add() and knows how to
@@ -43,13 +50,13 @@ class Constraint(BaseConstraint):
         from django.db.models.base import ObjectDoesNotExist
 
         if lookup_type == 'endswith':
-            params = ["*%s" % value]
+            params = ["*%s" % escape_ldap_filter(value)]
         elif lookup_type == 'startswith':
-            params = ["%s*" % value]
+            params = ["%s*" % escape_ldap_filter(value)]
         elif lookup_type == 'exact':
-            params = [value]
+            params = [escape_ldap_filter(value)]
         elif lookup_type == 'in':
-            params = [v for v in value]
+            params = [escape_ldap_filter(v) for v in value]
         else:
             raise TypeError("Field has invalid lookup: %s" % lookup_type)
 
Unnamed repository; edit this file to name it for gitweb.