mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 8c8912c4 | patch | commit | show whitespace
david_page
03.15.2007 a197c76352e378db4c83e8b941b4c71371601c01 
Issue [1024] Invalid filters are not detected by ldapsearch

This change addresses a specific case of the problem identified in the issue. Specifically, a test was added to detect and reject the specific case of apostrophes (single-quotes) enclosing an LDAP filter, which occurs when ldapsearch is invoked on a Microsoft Windows system and the search filter has mistakenly been enclosed by apostrophes instead of quotation marks.

Issue 1565 has been opened to address the more general question of what constitutes a valid search filter, including the characters allowed in an attribute type.

Thanks to Andy Coulbeck for help analyzing the problem and designing a solution, and David Ely for reviewing the proposed change.
2 files modified
30 ■■■■■ changed files
opends/src/server/org/opends/server/messages/ProtocolMessages.java 18 ●●●●● patch | view | raw | blame | history
opends/src/server/org/opends/server/protocols/ldap/LDAPFilter.java 12 ●●●●● patch | view | raw | blame | history 
 opends/src/server/org/opends/server/messages/ProtocolMessages.java


@@ -4608,6 +4608,17 @@






  /**


   * The message ID for the message that will be used if an LDAP search filter


   * is enclosed in apostrophes ("single-quotes").


   * (FIXME -- This error is a workaround for


   * https://opends.dev.java.net/issues/show_bug.cgi?id=1024. A correct fix


   * is to validate the characters used in the attribute type.


   */


  public static final int MSGID_LDAP_FILTER_ENCLOSED_IN_APOSTROPHES =


       CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_MILD_ERROR | 427;






  /**


   * Associates a set of generic messages with the message IDs defined in this


   * class.


   */


@@ -6571,6 +6582,8 @@


                    "Unable to process the provided VLV response control " +


                    "because an error occurred while attempting to decode " +


                    "the control value:  %s");






   registerMessage(MSGID_GETEFFECTIVERIGHTS_INVALID_AUTHZID,


                    "The authorization ID \"%s\" contained in the " +


                     "geteffectiverights control is invalid because it does" +


@@ -6580,8 +6593,11 @@


             "request control:  %s");


    registerMessage(MSGID_CANNOT_DECODE_GETEFFECTIVERIGHTS_AUTHZID_DN,


                    "Unable to decode authzid DN string \"%s\" as a valid " +


                    "distinguished name:  %s"); }


                    "distinguished name:  %s");






    registerMessage(MSGID_LDAP_FILTER_ENCLOSED_IN_APOSTROPHES,


                    "An LDAP filter enclosed in apostrophes is invalid:  %s");


  }


}






 opends/src/server/org/opends/server/protocols/ldap/LDAPFilter.java


@@ -360,6 +360,18 @@


      throw new LDAPException(LDAPResultCode.PROTOCOL_ERROR, msgID, message);


    }




    // If the filter is enclosed in a pair of apostrophes ("single-quotes") it


    // is invalid.


    // (FIXME -- This error is a workaround for


    //  https://opends.dev.java.net/issues/show_bug.cgi?id=1024. A correct fix


    // is to validate the characters used in the attribute type.)


    if (1 < filterString.length()


         && filterString.startsWith("'") && filterString.endsWith("'"))


    {


      int msgID = MSGID_LDAP_FILTER_ENCLOSED_IN_APOSTROPHES;


      String message = getMessage(msgID, filterString);


      throw new LDAPException(LDAPResultCode.PROTOCOL_ERROR, msgID, message);


    }




    // If the filter is surrounded by parentheses (which it should be), then


    // strip them off.