[scim] Escape search filter values
Mark Dobrinic <mark.dobrinic@curity.io> Wed, 03 October 2018 15:37 UTC
Return-Path: <mark.dobrinic@curity.io>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983AA1312D3 for <scim@ietfa.amsl.com>; Wed, 3 Oct 2018 08:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9irFSDxnxOZ for <scim@ietfa.amsl.com>; Wed, 3 Oct 2018 08:37:16 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E212D1312E7 for <scim@ietf.org>; Wed, 3 Oct 2018 08:37:15 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id n1-v6so6656402wrt.10 for <scim@ietf.org>; Wed, 03 Oct 2018 08:37:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=kuDb4BwHXBXm8vY7CDDPsCwtmoFbZ4o5h88PI3+/N4E=; b=qC9A8RbGaLwZgDrX/vS5W3dbFCgVX0/R2TJsySPTLpJ6OyKW2bwp1B1cHXF+seeUWq rCHUzTS4IpeZMpuDxD12CvHTSHmBjaw794F8l0Xxxi7LSX3QBCiY2ITJsqSrQyrw9g8l CfV086z6cNAbuvap1Z2Qp5s2WYCb0NFLGJgmgMxf0U70AzQOdySWpYxsEzMnlycTNdV5 vyytqki52prLXag6tFaEohjNi00aLRigva1q7N+4ftMhxox02cXIT4EdLgC3VD0s3kmM jWtWv12M3Hy3WWmPRyaH0iO4l0mhlPdSRxtJy05KtSPcyfqZLGpfyqUeV/Yj+jUkP9Hn PIUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=kuDb4BwHXBXm8vY7CDDPsCwtmoFbZ4o5h88PI3+/N4E=; b=IYWjX67YET9poFVcPaTs3q42hejpqB9evjjOr09i3oDrRDXdZTQVp6DjQ3hhDYNaI5 P92X06Bu18inrtWdeBs/huf+0kM3Vx7ApZ9qo/dBkPs9nnPJKhyq/57SMFcLwjPTQJx4 ars3KlEQxQ76KnZR6yEHEXncVw5hCrPJnXDnRDotTMTNnh7SyziTF5JeejKN58OO+oOQ AxNlri0EwCN3OOprBiFOSTOxwBxpBaC2q6/ThzSKAZOzZkKdZdp2jrOaX1ZXbAdKdnfU cm8Gu5neu6cW8tNiH/DkcVH60viwXCyef6BLEGQgoZcqPOFbzU3vE4hkIF68nHgA6dd8 1dlg==
X-Gm-Message-State: ABuFfogAz5fWnYeAMnGtBdnF5xKAAVk+hiRX4iaEbaNsFeM5WymUD5VQ topr0kRhRDH3FVXDOhg9uKjsOIKQK78=
X-Google-Smtp-Source: ACcGV63wyuVJFqwl3OgLgtIueMu7tpyBjfT0BrxA0b37WbLnmDFaHx4XtalI8LEBnomKYFXepxF0Ww==
X-Received: by 2002:adf:b211:: with SMTP id u17-v6mr1683502wra.180.1538581033973; Wed, 03 Oct 2018 08:37:13 -0700 (PDT)
Received: from speedyM.local ([2a02:a446:bd2c:1:c9c8:cee8:a506:4c64]) by smtp.gmail.com with ESMTPSA id t2-v6sm2426541wrr.7.2018.10.03.08.37.13 for <scim@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Oct 2018 08:37:13 -0700 (PDT)
To: scim@ietf.org
From: Mark Dobrinic <mark.dobrinic@curity.io>
Message-ID: <370d231f-1041-5d28-f097-38882481a256@curity.io>
Date: Wed, 03 Oct 2018 17:37:07 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/8RNm7bU3uFIPEYHv6RA-uf0ar6w>
Subject: [scim] Escape search filter values
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2018 15:37:18 -0000
Hi scim,
I've got a question on how to escape values that are part of the search
filter query in scim 2.
For example, when sending out a search request for a user with a
password, we're posting a JSON-message like this to our SCIM server:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:SearchRequest"
],
"filter": "userName eq \"teddie\" and password eq "\secret\""
}
But when the password contains control characters, like a double-quote
(") or backslash (\), what should we send to the other end?
For now, we've been following the JSON approach, and are JSON-escaping
the values inside the filter, such that when the password would be
'sec"ret', the JSON-message as it would be sent over becomes:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:SearchRequest"
],
"filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\""
}
... but I could not find out how to deal with this in the spec.
What do you think is the right thing to do here?
--
Regards,
Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB
mark.dobrinic@curity.io
www.curity.io
- [scim] Escape search filter values Mark Dobrinic
- [scim] Fwd: Escape search filter values Mark Dobrinic
- Re: [scim] Fwd: Escape search filter values Phil Hunt
- Re: [scim] Fwd: Escape search filter values Mark Dobrinic