mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
14 lines
524 B
Python
14 lines
524 B
Python
# Safe: user-supplied substring run through `escape_filter_chars` (RFC 4515)
|
|
# before being concatenated into the filter. The sanitizer clears the
|
|
# LDAP_INJECTION cap so the sink does not fire.
|
|
import ldap
|
|
from ldap.filter import escape_filter_chars
|
|
from flask import request
|
|
|
|
|
|
def lookup():
|
|
conn = ldap.initialize("ldap://example.com")
|
|
user = request.form["user"]
|
|
safe = escape_filter_chars(user)
|
|
flt = "(uid=" + safe + ")"
|
|
return conn.search_s("ou=people,dc=example,dc=com", ldap.SCOPE_SUBTREE, flt)
|