[
https://issues.apache.org/jira/browse/DIRSHARED-143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13489980#comment-13489980
]
Stefan Seelmann commented on DIRSHARED-143:
-------------------------------------------
I'd suggest something like "filter template and arguments" in JNDI (see
http://docs.oracle.com/javase/jndi/tutorial/ldap/search/search.html, topic
"Using String Filters with Arguments").
The idea is to define the filter template with placeholders and to escape the
arguments (which are probably entered by user of an application) before
replacing the placeholders. Special chars in the template string are preserved,
but special chars in the arguments are escaped.
{code}
String filterTemplate = "(&(cn=*{0}*)(uid=*{1}*))";
String[] args = {"f**", "(bar)"};
String filter = LdapEncoder.format(filterTemplate, args);
// => (&(cn=*f\2a\2a*)(uid=*\28bar\29*))
{code}
> Provide helper method to escape characters to be used in LDAP Filter literal
> ----------------------------------------------------------------------------
>
> Key: DIRSHARED-143
> URL: https://issues.apache.org/jira/browse/DIRSHARED-143
> Project: Directory Shared
> Issue Type: Improvement
> Affects Versions: 1.0.0-M13
> Reporter: Hendy Irawan
>
> In order to prevent malicious injection, user-provided input must be escaped
> (the 5 restricted characters) before being put in LDAP filter.
> Provide a helper static method to make it convenient and available as public
> API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
