X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fdjango-ldapdb.git;a=blobdiff_plain;f=ldapdb%2Fmodels%2Fquery.py;h=877ea9e40ee74c0b323361e39ca2ea893ba79f4f;hp=f430286b65be5d14531e46a86b540eaa3a851ab6;hb=6114ec0f3314013175cc55886f2cd6085d8ae1d0;hpb=410870e98c85639ac9646f61af06a1667c226ca3

diff --git a/ldapdb/models/query.py b/ldapdb/models/query.py
index f430286..877ea9e 100644
--- a/ldapdb/models/query.py
+++ b/ldapdb/models/query.py
@@ -21,7 +21,6 @@
 from copy import deepcopy
 import ldap
 
-from django.db.models.fields import Field
 from django.db.models.query import QuerySet as BaseQuerySet
 from django.db.models.query_utils import Q
 from django.db.models.sql import Query as BaseQuery
@@ -29,6 +28,14 @@ from django.db.models.sql.where import WhereNode as BaseWhereNode, Constraint as
 
 import ldapdb
 
+def escape_ldap_filter(value):
+    value = str(value)
+    return value.replace('\\', '\\5c') \
+                .replace('*', '\\2a') \
+                .replace('(', '\\28') \
+                .replace(')', '\\29') \
+                .replace('\0', '\\00')
+
 class Constraint(BaseConstraint):
     """
     An object that can be passed to WhereNode.add() and knows how to
@@ -43,13 +50,13 @@ class Constraint(BaseConstraint):
         from django.db.models.base import ObjectDoesNotExist
 
         if lookup_type == 'endswith':
-            params = ["*%s" % value]
+            params = ["*%s" % escape_ldap_filter(value)]
         elif lookup_type == 'startswith':
-            params = ["%s*" % value]
+            params = ["%s*" % escape_ldap_filter(value)]
         elif lookup_type == 'exact':
-            params = [value]
+            params = [escape_ldap_filter(value)]
         elif lookup_type == 'in':
-            params = [v for v in value]
+            params = [escape_ldap_filter(v) for v in value]
         else:
             raise TypeError("Field has invalid lookup: %s" % lookup_type)