发表新帖
发表新帖

How to escape a string in C#, for use in an LDAP query

前端 未结
关注
6 605
囚心锁ツ
囚心锁ツ 2020-12-14 10:00

I have an LDAP query, which I am using to perform a search in C#. It uses two string variables (username and domain) which need to be escaped for security reasons.

H

相关标签:
6条回答
  • 暗喜
    2020-12-14 10:14

    Use AntiXss library from address: https://www.nuget.org/packages/AntiXss 

    string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);
    0 讨论(0)
  • 花落未央
    2020-12-14 10:21

    I found a solution here, in a blog post about LDAP Injection

    This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.

    Also MSDN lists which special characters need to be replaced by escape sequences.

    As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)

    0 讨论(0)
  • 耶瑟儿~
    2020-12-14 10:24

    Maybe let somebody else worry about it? See LINQtoAD.

    0 讨论(0)
  • 旧时难觅i
    2020-12-14 10:32

    Use PInvoke with DsQuoteRdnValueW. For code, see my answer to another question: https://stackoverflow.com/a/11091804/628981

    0 讨论(0)
  • 一整个雨季
    2020-12-14 10:33

    Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.

    0 讨论(0)
  • 囚心锁ツ
    2020-12-14 10:40

    The following is my translation from the Java code mentioned by Sophia into C#.

    /// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
    StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
    for (int i = 0; i < searchFilter.Length; ++i)
    {
        char current = searchFilter[i];
        switch (current)
        {
            case '\\':
                escape.Append(@"\5c");
                break;
            case '*':
                escape.Append(@"\2a");
                break;
            case '(':
                escape.Append(@"\28");
                break;
            case ')':
                escape.Append(@"\29");
                break;
            case '\u0000':
                escape.Append(@"\00");
                break;
            case '/':
                escape.Append(@"\2f");
                break;
            default:
                escape.Append(current);
                break;
        }
    }

    return escape.ToString();
}
    0 讨论(0)
 看不清?
提交回复
热议问题