Escape LDAP filters characters in authentication method
authorThierry Florac <tflorac@ulthar.net>
Fri, 18 Jan 2019 13:42:21 +0100
changeset 44 b38760ada646
parent 43 5457f6fff2b5
child 45 0c46b2b740d7
Escape LDAP filters characters in authentication method
src/pyams_ldap/plugin.py
--- a/src/pyams_ldap/plugin.py	Fri Nov 16 15:19:21 2018 +0100
+++ b/src/pyams_ldap/plugin.py	Fri Jan 18 13:42:21 2019 +0100
@@ -13,25 +13,27 @@
 __docformat__ = 'restructuredtext'
 
 import logging
-logger = logging.getLogger('PyAMS (ldap)')
-
-import ldap3
 import re
 
-from pyams_ldap.interfaces import ILDAPPlugin, ILDAPUserInfo, ILDAPGroupInfo
-from pyams_mail.interfaces import IPrincipalMailInfo
-from zope.intid.interfaces import IIntIds
-
+import ldap3
 from beaker.cache import cache_region
+from ldap3.utils.conv import escape_filter_chars
 from persistent import Persistent
-from pyams_ldap.query import LDAPQuery
-from pyams_security.principal import PrincipalInfo
-from pyams_utils.adapter import adapter_config, ContextAdapter
-from pyams_utils.registry import query_utility
 from zope.container.contained import Contained
 from zope.interface import implementer
+from zope.intid.interfaces import IIntIds
 from zope.schema.fieldproperty import FieldProperty
 
+from pyams_ldap.interfaces import ILDAPGroupInfo, ILDAPPlugin, ILDAPUserInfo
+from pyams_ldap.query import LDAPQuery
+from pyams_mail.interfaces import IPrincipalMailInfo
+from pyams_security.principal import PrincipalInfo
+from pyams_utils.adapter import ContextAdapter, adapter_config
+from pyams_utils.registry import query_utility
+
+
+logger = logging.getLogger('PyAMS (ldap)')
+
 
 managers = {}
 
@@ -269,7 +271,7 @@
         conn = self.get_connection()
         search = LDAPQuery(self.base_dn, self.login_query, self.search_scope, (self.login_attribute,
                                                                                self.uid_attribute))
-        result = search.execute(conn, login=login, password=password)
+        result = search.execute(conn, login=escape_filter_chars(login))
         if not result or len(result) > 1:
             return None
         result = result[0]