Handle CR and LF characters

2017-09-20 15:25:30 -07:00 · 2017-09-20 15:25:30 -07:00 · f610fea777
commit f610fea777
parent 1e7ff892c0
2 changed files with 15 additions and 1 deletions
--- a/lib/gitlab/ldap/dn.rb
+++ b/lib/gitlab/ldap/dn.rb
@ -225,6 +225,12 @@ module Gitlab
      # if necessary (i.e. leading or trailing space).
      NORMAL_ESCAPES = [',', '+', '"', '\\', '<', '>', ';', '=']

+      # The following must be represented as escaped hex
+      HEX_ESCAPES = {
+        "\n" => '\0a',
+        "\r" => '\0d'
+      }
+
      # Compiled character class regexp using the keys from the above hash, and
      # checking for a space or # at the start, or space at the end, of the
      # string.
@ -232,10 +238,15 @@ module Gitlab
                             NORMAL_ESCAPES.map { |e| Regexp.escape(e) }.join +
                             "])")

+      HEX_ESCAPE_RE = Regexp.new("([" +
+                             HEX_ESCAPES.keys.map { |e| Regexp.escape(e) }.join +
+                             "])")
+
      ##
      # Escape a string for use in a DN value
      def self.escape(string)
-        string.gsub(ESCAPE_RE) { |char| "\\" + char }
+        escaped = string.gsub(ESCAPE_RE) { |char| "\\" + char }
+        escaped.gsub(HEX_ESCAPE_RE) { |char| HEX_ESCAPES[char] }
      end

      ##
--- a/spec/lib/gitlab/ldap/dn_spec.rb
+++ b/spec/lib/gitlab/ldap/dn_spec.rb
@ -31,6 +31,9 @@ describe Gitlab::LDAP::DN do
      'converts an escaped hex equal sign to an escaped equal sign in an attribute value'            | 'uid= foo  \\3D  bar'                                                                                 | 'uid=foo  \\=  bar'
      'does not modify an escaped comma in an attribute value'                                       | 'uid= John C. Smith, ou=San Francisco\\, CA'                                                          | 'uid=john c. smith,ou=san francisco\\, ca'
      'converts an escaped hex comma to an escaped comma in an attribute value'                      | 'uid= John C. Smith, ou=San Francisco\\2C CA'                                                         | 'uid=john c. smith,ou=san francisco\\, ca'
+      'does not modify an escaped hex carriage return character in an attribute value'               | 'uid= John C. Smith, ou=San Francisco\\,\\0DCA'                                                       | 'uid=john c. smith,ou=san francisco\\,\\0dca'
+      'does not modify an escaped hex line feed character in an attribute value'                     | 'uid= John C. Smith, ou=San Francisco\\,\\0ACA'                                                       | 'uid=john c. smith,ou=san francisco\\,\\0aca'
+      'does not modify an escaped hex CRLF in an attribute value'                                    | 'uid= John C. Smith, ou=San Francisco\\,\\0D\\0ACA'                                                   | 'uid=john c. smith,ou=san francisco\\,\\0d\\0aca'
    end

    with_them do