From 41c3c7b29c22878ee96cf1f210c1c93c356a1bab Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Fri, 28 Oct 2022 10:27:06 +0200 Subject: [PATCH 1/6] escape ldap search filter --- plugins/modules/ldap_attrs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/modules/ldap_attrs.py b/plugins/modules/ldap_attrs.py index 97275c45d51..9cbf8f6ebf5 100644 --- a/plugins/modules/ldap_attrs.py +++ b/plugins/modules/ldap_attrs.py @@ -176,6 +176,7 @@ LDAP_IMP_ERR = None try: import ldap + import ldap.filter HAS_LDAP = True except ImportError: @@ -264,7 +265,7 @@ def exact(self): def _is_value_present(self, name, value): """ True if the target attribute has the given value. """ try: - filterstr = "(%s=%s)" % (name, value.decode()) + filterstr = "(%s=%s)" % (name, ldap.filter.escape_filter_chars(value.decode())) dns = self.connection.search_s(self.dn, ldap.SCOPE_BASE, filterstr) is_present = len(dns) == 1 except ldap.NO_SUCH_OBJECT: From d68c6fe68eb837949b59b10f30e0a3779f84b200 Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Fri, 28 Oct 2022 10:39:53 +0200 Subject: [PATCH 2/6] move escape to separate line --- plugins/modules/ldap_attrs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/modules/ldap_attrs.py b/plugins/modules/ldap_attrs.py index 9cbf8f6ebf5..37a98ecedb7 100644 --- a/plugins/modules/ldap_attrs.py +++ b/plugins/modules/ldap_attrs.py @@ -265,7 +265,8 @@ def exact(self): def _is_value_present(self, name, value): """ True if the target attribute has the given value. """ try: - filterstr = "(%s=%s)" % (name, ldap.filter.escape_filter_chars(value.decode())) + escaped_value = ldap.filter.escape_filter_chars(value) + filterstr = "(%s=%s)" % (name, escaped_value.decode()) dns = self.connection.search_s(self.dn, ldap.SCOPE_BASE, filterstr) is_present = len(dns) == 1 except ldap.NO_SUCH_OBJECT: From 622f3dae58e85c19d3fc440d78f5b0e3bf0bcadc Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Fri, 28 Oct 2022 10:40:08 +0200 Subject: [PATCH 3/6] add changelog fragment --- changelogs/fragments/5435-escape-ldap-param.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/5435-escape-ldap-param.yml diff --git a/changelogs/fragments/5435-escape-ldap-param.yml b/changelogs/fragments/5435-escape-ldap-param.yml new file mode 100644 index 00000000000..a4bece4b9d1 --- /dev/null +++ b/changelogs/fragments/5435-escape-ldap-param.yml @@ -0,0 +1,2 @@ +bugfixes: + - ldap_attrs - fix bug which caused a `Bad search filter` error. The error was occuring when the ldap attribute value contained special characters such as `(` or `*` From d7a56f68ae9ef41a1bb83817a54c01d120f538d8 Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Fri, 28 Oct 2022 14:27:44 +0200 Subject: [PATCH 4/6] Update changelogs/fragments/5435-escape-ldap-param.yml Co-authored-by: Felix Fontein --- changelogs/fragments/5435-escape-ldap-param.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/5435-escape-ldap-param.yml b/changelogs/fragments/5435-escape-ldap-param.yml index a4bece4b9d1..3f22f617596 100644 --- a/changelogs/fragments/5435-escape-ldap-param.yml +++ b/changelogs/fragments/5435-escape-ldap-param.yml @@ -1,2 +1,2 @@ bugfixes: - - ldap_attrs - fix bug which caused a `Bad search filter` error. The error was occuring when the ldap attribute value contained special characters such as `(` or `*` + - ldap_attrs - fix bug which caused a ``Bad search filter`` error. The error was occuring when the ldap attribute value contained special characters such as ``(`` or ``*`` (https://github.com/ansible-collections/community.general/issues/5434, https://github.com/ansible-collections/community.general/pull/5435). From 9ebe7cb3aae8ad7c36794f3264ec9d100e56fa8b Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Fri, 28 Oct 2022 16:12:25 +0200 Subject: [PATCH 5/6] fix encoding --- plugins/modules/ldap_attrs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/ldap_attrs.py b/plugins/modules/ldap_attrs.py index 37a98ecedb7..6ac6776a7a5 100644 --- a/plugins/modules/ldap_attrs.py +++ b/plugins/modules/ldap_attrs.py @@ -265,8 +265,8 @@ def exact(self): def _is_value_present(self, name, value): """ True if the target attribute has the given value. """ try: - escaped_value = ldap.filter.escape_filter_chars(value) - filterstr = "(%s=%s)" % (name, escaped_value.decode()) + escaped_value = ldap.filter.escape_filter_chars(value.decode('utf-8')) + filterstr = "(%s=%s)" % (name, escaped_value) dns = self.connection.search_s(self.dn, ldap.SCOPE_BASE, filterstr) is_present = len(dns) == 1 except ldap.NO_SUCH_OBJECT: From a0df4f3c3eb2f0a0d4079a87a2e4e8ffa7f3f3b0 Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Sat, 29 Oct 2022 12:34:02 +0200 Subject: [PATCH 6/6] fixup! fix encoding --- plugins/modules/ldap_attrs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/ldap_attrs.py b/plugins/modules/ldap_attrs.py index 6ac6776a7a5..61ae291956f 100644 --- a/plugins/modules/ldap_attrs.py +++ b/plugins/modules/ldap_attrs.py @@ -168,7 +168,7 @@ import traceback from ansible.module_utils.basic import AnsibleModule, missing_required_lib -from ansible.module_utils.common.text.converters import to_native, to_bytes +from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs import re @@ -265,7 +265,7 @@ def exact(self): def _is_value_present(self, name, value): """ True if the target attribute has the given value. """ try: - escaped_value = ldap.filter.escape_filter_chars(value.decode('utf-8')) + escaped_value = ldap.filter.escape_filter_chars(to_text(value)) filterstr = "(%s=%s)" % (name, escaped_value) dns = self.connection.search_s(self.dn, ldap.SCOPE_BASE, filterstr) is_present = len(dns) == 1