How to escape a string in C#, for use in an LDAP q

2019-01-22 14:33发布

站内问答 / C#
1419 6 4

I have an LDAP query, which I am using to perform a search in C#. It uses two string variables (username and domain) which need to be escaped for security reasons.

How should I escape the strings? Is there a function available in C#.NET to do this?

Example LDAP search conditions :

(objectCategory=person)
(userprincipalname=username@domain*)
(samaccountname=username)

Example LDAP query string in C# :

string search = "(&(&(objectCategory=person)(userprincipalname=" 
        + username 
        + "@"
        + domain 
        + "*)(samaccountname=" 
        + username 
        + ")))";

Edit: I already have the LDAP query working, and returning results. All I want is to escape the parameters.

6条回答
你好瞎i
2楼-- · 2019-01-22 14:45

I found a solution here, in a blog post about LDAP Injection

This solution involves adding your own function to escape the username and domain name, his solution is in Java, but the idea is there.

Also MSDN lists which special characters need to be replaced by escape sequences.

As far as I can tell there doesn't seem to be any method for escaping LDAP strings in System.DirectoryServices (like there is in HttpServerUtility for URLs etc)

查看更多
0人赞 添加讨论(0) 举报
Explosion°爆炸
3楼-- · 2019-01-22 14:52

Maybe let somebody else worry about it? See LINQtoAD.

查看更多
0人赞 添加讨论(0) 举报
Rolldiameter
4楼-- · 2019-01-22 14:56

Use AntiXss library from address: https://www.nuget.org/packages/AntiXss 

string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(input);
查看更多
0人赞 添加讨论(0) 举报
Viruses.
5楼-- · 2019-01-22 15:04

The following is my translation from the Java code mentioned by Sophia into C#.

/// <summary>
/// Escapes the LDAP search filter to prevent LDAP injection attacks.
/// </summary>
/// <param name="searchFilter">The search filter.</param>
/// <see cref="https://blogs.oracle.com/shankar/entry/what_is_ldap_injection" />
/// <see cref="http://msdn.microsoft.com/en-us/library/aa746475.aspx" />
/// <returns>The escaped search filter.</returns>
private static string EscapeLdapSearchFilter(string searchFilter)
{
    StringBuilder escape = new StringBuilder(); // If using JDK >= 1.5 consider using StringBuilder
    for (int i = 0; i < searchFilter.Length; ++i)
    {
        char current = searchFilter[i];
        switch (current)
        {
            case '\\':
                escape.Append(@"\5c");
                break;
            case '*':
                escape.Append(@"\2a");
                break;
            case '(':
                escape.Append(@"\28");
                break;
            case ')':
                escape.Append(@"\29");
                break;
            case '\u0000':
                escape.Append(@"\00");
                break;
            case '/':
                escape.Append(@"\2f");
                break;
            default:
                escape.Append(current);
                break;
        }
    }

    return escape.ToString();
}
查看更多
0人赞 添加讨论(0) 举报
够拽才男人
6楼-- · 2019-01-22 15:05

Are you trying to prevent some sort of injection attack against your directory server via user input? If that is the case I would just validate the input with Regex before passing it to LDAP.

查看更多
0人赞 添加讨论(0) 举报
贼婆χ
7楼-- · 2019-01-22 15:08

Use PInvoke with DsQuoteRdnValueW. For code, see my answer to another question: https://stackoverflow.com/a/11091804/628981

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)