What characters need to be escaped in LDIF values?

StackOverflow https://stackoverflow.com/questions/17238102

  •  01-06-2022
  •  | 
  •  

Question

Here are the characters which I'm pretty sure need escaping thus far:

  • \r
  • \n
  • \
  • ,
  • ;
  • "
  • '
  • [
  • ]
  • >
  • <
  • +

I've combed through the internet, and haven't found a (comprehensive) list.

While I'm aware I could carefully comb through all the relevant RFCs, I:

  1. Don't trust myself to find everything,
  2. Don't have the time, and
  3. Am pretty sure this is something someone out there has memorized already.

EDIT:

Oh, and here's where I got some of the values in that list.

Was it helpful?

Solution

UPDATE!

Found the list serendipitously here.

It's worth noting that, implicit in this linked list (heh... 'linked list') is the assumption that you're limited to a certain character set, so it misses a few things. Namely, it misses the single most dangerous character to not escape- linefeed. While it is possible to store linefeeds, if left unescaped the user can inject arbitrary LDIF. As such, the solution that seems to make the most sense is to:

  • base64 encode all values containing characters outside the ASCII character set or containing control chars (pretty easy to detect using regexes; there are regex shorthand ways of expressing 'ASCII characters' and 'control chars', although since the non-control ASCII characters are all in a contiguous block, you can just use a regex for that range instead; although literate programming says you shouldn't, and it also increases margin of error), and use the :: syntax to indicate that's what you're doing, then
  • if not base64 encoded, use the escape sequences provided below (although you won't need the {\0} escape, for obvious reasons), and finally...
  • test this on your system. The base64 escaping thing is pretty airtight, but it would be a good idea to create users with every field filled with the entire non-control ASCII character set, then load those users and check that everything's OK. I have yet to do this step, so don't assume that this is a perfect solution. Additionally, the software you use to parse LDIF may not conform perfectly to the spec., or may have additional issues with it that make this problematic, so even if this IS perfect, YMMV.

(Copypasta'd below is the important part from the link in case the link goes AWOL.)

Mitigation

The escape sequence for properly using user supplied input into LDAP differs depending on if the user input is used to create the DN (Distinguished Name) or used as part of the search filter. The listings below shows the character that needs to be escape and the appropriate escape method for each case.

Used in DN - Requires \ escape

&
!
|
=
<
>
,
+
-
"
'
;

Used in Filter- Requires {\ASCII} escape

(           {\28}
)           {\29}
\           {\5c}
*           {\2a}
/           {\2f}
NUL         {\0}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top