Project

General

Profile

Actions

Bug #10765

open

Ampersands in ldap_extended_query are escaped twice

Added by Louis Sautier over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
07/15/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:
All

Description

Hello,
I recently ran into an issue with an LDAP server whose Query field contained an ampersand.

The field is set to

memberOf=CN=Some Group,OU=One & Two,DC=blah,DC=local

That results in
<ldap_extended_query><![CDATA[memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local]]></ldap_extended_query>

in config.xml.

Re-writing the XML config with Python shows that & is escaped twice (once because of CDATA, once because of the HTML entities):

#!/usr/bin/env python3
import xml.etree.ElementTree as ET

xml = "<ldap_extended_query><![CDATA[memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local]]></ldap_extended_query>" 
tree = ET.fromstring(xml)
print(ET.tostring(tree, encoding="unicode"))

Running the script results in

<ldap_extended_query>memberOf=CN=Some Group,OU=One &amp;amp; Two,DC=blah,DC=local</ldap_extended_query>

Both syntaxes should be equivalent. However, when the configuration is reloaded, the query (as shown in the WEB UI) becomes

memberOf=CN=Some Group,OU=One &amp; Two,DC=blah,DC=local

and is now invalid.

Actions #1

Updated by Louis Sautier over 4 years ago

Hello, I am surprised that this issue hasn't been assigned to anybody in 2 months. Is there anything I can do to give it more visibility? I can provide more info if required, just let me know.

The reason this is problematic is that every time I use this pfsense ansible module, I break my LDAP config because it rewrites the whole XML file.

Actions #2

Updated by Jim Pingle over 4 years ago

  • Category set to Authentication

That is an unsupported add-on, and a rare use case. You are welcome to submit a PR with a fix, but it's not something we would rush to direct resources to fix.

Actions

Also available in: Atom PDF