I have an LDAP query, which I am using to perform a search in C#. It uses two string variables (username and domain) which need to be escaped for security reasons.
我有一个LDAP查询,我用它来在C#中执行搜索。它使用两个字符串变量(用户名和域),出于安全原因需要对其进行转义。
How should I escape the strings? Is there a function available in C#.NET to do this?
我该怎么逃避弦乐? C#.NET中是否有可用的功能来执行此操作?
Example LDAP search conditions :
示例LDAP搜索条件:
(objectCategory=person)
(userprincipalname=username@domain*)
(samaccountname=username)
Example LDAP query string in C# :
C#中的LDAP查询字符串示例:
string search = "(&(&(objectCategory=person)(userprincipalname="
+ username
+ "@"
+ domain
+ "*)(samaccountname="
+ username
+ ")))";
Edit: I already have the LDAP query working, and returning results. All I want is to escape the parameters.
编辑:我已经有LDAP查询工作,并返回结果。我想要的只是逃避参数。
6 个解决方案
#1
25
The following is my translation from the Java code mentioned by Sophia into C#.
以下是我从Sophia提到的Java代码到C#的翻译。
/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
for (int i = 0; i < searchFilter.Length; ++i)
{
char current = searchFilter[i];
switch (current)
{
case '\\':
escape.Append(@"\5c");
break;
case '*':
escape.Append(@"\2a");
break;
case '(':
escape.Append(@"\28");
break;
case ')':
escape.Append(@"\29");
break;
case '\u0000':
escape.Append(@"\00");
break;
case '/':
escape.Append(@"\2f");
break;
default:
escape.Append(current);
break;
}
}
return escape.ToString();
}
#2
5
I found a solution here, in a blog post about LDAP Injection
我在一篇关于LDAP注入的博客文章中找到了解决方案
This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.
这个解决方案涉及添加自己的函数来逃避用户名和域名,他的解决方案是Java,但想法就在那里。
Also MSDN lists which special characters need to be replaced by escape sequences.
MSDN还列出了转义序列需要替换哪些特殊字符。
As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)
据我所知,似乎没有任何方法可以在System.DirectoryServices中转义LDAP字符串(就像HttpServerUtility中的URL等)
#4
2
Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.
您是否试图通过用户输入阻止对目录服务器的某种注入攻击?如果是这种情况,我会在将输入传递给LDAP之前使用Regex验证输入。
#5
2
Use AntiXss library from address: https://www.nuget.org/packages/AntiXss
使用地址:https://www.nuget.org/packages/AntiXss中的AntiXss库
string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);
#6
0
Use PInvoke with DsQuoteRdnValueW. For code, see my answer to another question: https://*.com/a/11091804/628981
将PInvoke与DsQuoteRdnValueW一起使用。有关代码,请参阅我对其他问题的回答:https://*.com/a/11091804/628981
#1
25
The following is my translation from the Java code mentioned by Sophia into C#.
以下是我从Sophia提到的Java代码到C#的翻译。
/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
for (int i = 0; i < searchFilter.Length; ++i)
{
char current = searchFilter[i];
switch (current)
{
case '\\':
escape.Append(@"\5c");
break;
case '*':
escape.Append(@"\2a");
break;
case '(':
escape.Append(@"\28");
break;
case ')':
escape.Append(@"\29");
break;
case '\u0000':
escape.Append(@"\00");
break;
case '/':
escape.Append(@"\2f");
break;
default:
escape.Append(current);
break;
}
}
return escape.ToString();
}
#2
5
I found a solution here, in a blog post about LDAP Injection
我在一篇关于LDAP注入的博客文章中找到了解决方案
This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.
这个解决方案涉及添加自己的函数来逃避用户名和域名,他的解决方案是Java,但想法就在那里。
Also MSDN lists which special characters need to be replaced by escape sequences.
MSDN还列出了转义序列需要替换哪些特殊字符。
As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)
据我所知,似乎没有任何方法可以在System.DirectoryServices中转义LDAP字符串(就像HttpServerUtility中的URL等)
#3
#4
2
Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.
您是否试图通过用户输入阻止对目录服务器的某种注入攻击?如果是这种情况,我会在将输入传递给LDAP之前使用Regex验证输入。
#5
2
Use AntiXss library from address: https://www.nuget.org/packages/AntiXss
使用地址:https://www.nuget.org/packages/AntiXss中的AntiXss库
string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);
#6
0
Use PInvoke with DsQuoteRdnValueW. For code, see my answer to another question: https://*.com/a/11091804/628981
将PInvoke与DsQuoteRdnValueW一起使用。有关代码,请参阅我对其他问题的回答:https://*.com/a/11091804/628981