Incorrect unescaping of filter values

[sbutler]

In "net/ldap/filter.rb", line 626 there is this function:

Converts escaped characters (e.g., "\28") to unescaped characters

("(").

def unescape(right) right.gsub(/([a-fA-F\d]{2})/) { [$1.hex].pack("U") } end

That is the incorrect way to turn escaped values into their proper binary value. Specifically, packing as a UTF8 string is not desired. What should happen is:

right.gsub(/([a-fA-F\d]{2})/) { $1.hex.chr }

Why? Suppose "right" has UTF8. Cases:

• the byte sequence is already valid UTF8. There will be no escapes and this gsub block will never be called.
• the byte sequence contains escaped UTF8 data. The data, escaped, is already a valid UTF8 string. Consider the user passes in 'r\C3\A9sum\C3\A9'. The '\C3\A9' is already the correct sequence for an "é" and all we have to do is unescape the bytes as is. Unescaping them using pack('U') would corrupt the string.

But suppose the user, like me, wants to pass in raw binary data such as a GUID '\00\5f\ce\cf\98\e4\d8\11\85\bd\00\00\5a\99\61\58'. Using pack('U') hopelessly corrupts this since each byte is not meant to be a UTF8 sequence. Instead, it should be passed along as is: $1.hex.chr.

[jch]

@sbutler thanks for reporting this. There are new active maintainers on this project. Would you be interested in submitting a pull request for this?