ruby-net-ldap icon indicating copy to clipboard operation
ruby-net-ldap copied to clipboard

Published 20 hours ago verified publisher icon ruby-ldap

Filter's objectGUID is incorrectly unescaped

Open mkarklins opened this issue 8 years ago • 2 comments

LDAP search is not working for one particular objectGUID, looking through the sent packets, it seems that two bytes have been dropped.

I believe the problem lies in how the objectGUID is being unescaped when converted to BER representation.

guid = "d07eb95c-3034-2b49-b744-32336fb46909"
guid_filter = Net::LDAP::Filter.eq("objectGUID", [guid.gsub("-", "")].pack("H*"))
guid_filter.to_ber
#=> "\xA3\x1C\x04\nobjectGUID\x04\x0E\xD0~\xB9\x04+I\xB7D23o\xB4i\t"
# It should be:
#=> "\xA3\x1C\x04\nobjectGUID\x04\x0E\xD0~\xB9\\04+I\xB7D23o\xB4i\t"

Notice that one of the backslashes has been changed to "x". It seems that the \04 has been unescaped.

This looks like the relevant line: https://github.com/ruby-ldap/ruby-net-ldap/blob/d78dc1ed51480f52117fd8be431de4fe8790b70f/lib/net/ldap/filter.rb#L526

Using: net-ldap-0.16.1

mkarklins avatar Nov 28 '17 17:11 mkarklins

Shouldn't you be using bineq rather than eq for that comparison? It wouldn't help :) but it should do... and it would do with this patch:

martind@balance:~$ diff -u /var/lib/gems/2.3.0/gems/net-ldap-0.16.1/lib/net/ldap/filter.rb{.orig,}
--- /var/lib/gems/2.3.0/gems/net-ldap-0.16.1/lib/net/ldap/filter.rb.orig	2018-01-30 12:15:36.327745321 -0800
+++ /var/lib/gems/2.3.0/gems/net-ldap-0.16.1/lib/net/ldap/filter.rb	2018-01-30 12:15:58.763041272 -0800
@@ -527,7 +527,7 @@
       end
     when :bineq
       # make sure data is not forced to UTF-8
-      [@left.to_s.to_ber, unescape(@right).to_ber_bin].to_ber_contextspecific(3)
+      [@left.to_s.to_ber, @right.to_ber_bin].to_ber_contextspecific(3)
     when :ex
       seq = []
 
martind@balance:~$

Now to write my code so that it works in the presence of this bug and after its fix, argh...

martindorey avatar Jan 30 '18 20:01 martindorey

What's that, Skippy, bineq isn't documented? Perhaps, like me, you Googled your way to the plausible-looking URL http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAP/Filter, where there's just a tiny clue near the top that you're looking at a version from 2006:

Libraries » ruby-net-ldap (0.0.4) » Index (F) » Net » LDAP » Filter

Where you want to be, for eg documentation of bineq, is http://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP/Filter or http://www.rubydoc.info/gems/net-ldap/Net/LDAP/Filter. I reported it as https://rubydoc.tenderapp.com/discussions/problems/576-ruby-net-ldap-documentation.

martindorey avatar Jan 30 '18 21:01 martindorey