Re: [scim] Fwd: Escape search filter values
Mark Dobrinic <mark.dobrinic@curity.io> Tue, 06 November 2018 08:59 UTC
Return-Path: <mark.dobrinic@curity.io>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E965E130EE7 for <scim@ietfa.amsl.com>; Tue, 6 Nov 2018 00:59:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.879
X-Spam-Level:
X-Spam-Status: No, score=-0.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rIWKSlXz-HD for <scim@ietfa.amsl.com>; Tue, 6 Nov 2018 00:59:32 -0800 (PST)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69F7130EDC for <scim@ietf.org>; Tue, 6 Nov 2018 00:59:31 -0800 (PST)
Received: by mail-wr1-x433.google.com with SMTP id j17-v6so7366147wrq.11 for <scim@ietf.org>; Tue, 06 Nov 2018 00:59:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=subject:cc:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=b7lbv7uypZXhDgeQwjTDiEuD3BDPE6jtiTAjAl2+b1Q=; b=lyhcd4IGVJVZDbOFZh/+qfrtHOD4RZJtXBpm0cRJpj73i+1MajFRIV+DlbbOy0ufwD d86GUFeVhQM/UrRhJbsYApGhEhw8Lpe1NbaXlyXeErPaeO/BZ5D6ll4825FF7cPdwbcN cIgq6AeZbhiF0s/6KCMvAmpartzTW0I7nn/Jf7ugsqPIOJ176lOKPiIEU0IwwFT+sg6E uLvx7TkFPvbipvBjHTQxaqGiWNVDDUuYr24GtgNRhPY+8CMnko/sqJbTOZ3kB1W0C1aL OWsPlsa8p8X3EJ/gkxR2mpSr9FjOXIx3t5Kt1xBXzh6BFWIQr/vUYZ/XsvzvC4IKxp8J H1wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=b7lbv7uypZXhDgeQwjTDiEuD3BDPE6jtiTAjAl2+b1Q=; b=BvONxmNu8mqDNkFDcBxy/SguOOHelqp6sGyzGfyYSrnbDQhRxpMfgxIwfcVBKqiyJY y/VYRqoKcOjJHqZE7SrYAGa+UBYSn2xd7lWwfsKz/nx5X6UzYvHP4PaVGlXRbCBIKHde g2YFhuThpoOdRHopeI2ZtoCSKef8mgXv2T6fXpz5r0pIXtP3GOsjUdit0Ve698+fP2bc 110dzCKRHOWZ61wXga7TNW1byE68AKudAwLe/k879vi6AOhuSWJuNHWrqK70cb0rte8y VGFbg95dsv1YEipL6aP3cg9PtRQFA+RZfjCaUTOSk9l8CbU/RYPoaUqCXsauoiC5vN42 r6mg==
X-Gm-Message-State: AGRZ1gKrlhPs7Ilfk/HVf2X7ibgavdBOmDew2159PBKYdneYcM9BwHrb V890vHgwAoXLTX3EETfIMd4nR2p33+8=
X-Google-Smtp-Source: AJdET5d7PV+M3241p7uUMrczlB2MmG2ASYPV7SjFScxai97uOYDIfHjRw9Wb0LAVvic7LoKxLljdsA==
X-Received: by 2002:adf:e3c2:: with SMTP id k2-v6mr10244911wrm.156.1541494769778; Tue, 06 Nov 2018 00:59:29 -0800 (PST)
Received: from speedyM.local ([2a02:a446:bd2c:1:139:394b:fa99:273b]) by smtp.gmail.com with ESMTPSA id r126-v6sm700252wmg.1.2018.11.06.00.59.28 for <scim@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Nov 2018 00:59:29 -0800 (PST)
Cc: scim@ietf.org
References: <370d231f-1041-5d28-f097-38882481a256@curity.io> <b5a522c1-afb1-aa6d-e37a-2ab1b4c0db58@curity.io> <D4D868E4-B826-43BF-8A85-0AC44028121D@oracle.com>
From: Mark Dobrinic <mark.dobrinic@curity.io>
Message-ID: <1a2b4cff-7761-884c-f680-298126bc2875@curity.io>
Date: Tue, 06 Nov 2018 09:59:25 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <D4D868E4-B826-43BF-8A85-0AC44028121D@oracle.com>
Content-Type: multipart/alternative; boundary="------------421C553D203AF65A7973A519"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/Jo65dBF7-oTwltvpZiDx4RrBCiM>
Subject: Re: [scim] Fwd: Escape search filter values
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 08:59:39 -0000
Hi Phil, Gotcha, and thanks for that! We'll continue with the JSON-encoding approach. Kind regards, Mark On 05/11/18 18:26, Phil Hunt wrote: > Mark > > You are correct. Per sec 3.1, SCIM uses RFC7159/JSON for protocol > payload messages as well as resources. > > Iow. Escape as specified in json. > > Phil > > On Nov 5, 2018, at 12:50 AM, Mark Dobrinic <mark.dobrinic@curity.io > <mailto:mark.dobrinic@curity.io>> wrote: > >> Hi guys, >> >> have posted this question a month ago and didn't get a follow up. >> Anybody has thoughts on it? >> >> Thanks, >> >> Mark >> >> >> -------- Forwarded Message -------- >> Subject: Escape search filter values >> Date: Wed, 3 Oct 2018 17:37:07 +0200 >> From: Mark Dobrinic <mark.dobrinic@curity.io> >> To: scim@ietf.org >> >> >> >> Hi scim, >> >> I've got a question on how to escape values that are part of the search >> filter query in scim 2. >> >> For example, when sending out a search request for a user with a >> password, we're posting a JSON-message like this to our SCIM server: >> >> { >> "schemas": [ >> "urn:ietf:params:scim:api:messages:2.0:SearchRequest" >> ], >> "filter": "userName eq \"teddie\" and password eq "\secret\"" >> } >> >> But when the password contains control characters, like a double-quote >> (") or backslash (\), what should we send to the other end? >> >> For now, we've been following the JSON approach, and are JSON-escaping >> the values inside the filter, such that when the password would be >> 'sec"ret', the JSON-message as it would be sent over becomes: >> >> { >> "schemas": [ >> "urn:ietf:params:scim:api:messages:2.0:SearchRequest" >> ], >> "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\"" >> } >> >> .... but I could not find out how to deal with this in the spec. >> >> What do you think is the right thing to do here? >> >> >> -- >> Regards, >> >> Mark Dobrinic >> Software Engineer and Identity Specialist >> Curity AB >> >> mark.dobrinic@curity.io >> www.curity.io >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org <mailto:scim@ietf.org> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=yuuDrNYVFRE1h4L9M7aHG0iY0D9sKoCorF5SKqb_du0&s=QOewzWBRy4HUgd1QL4mtSXaUd_2SaGPHnZxOuwpIl1I&e= -- Regards, Mark Dobrinic Software Engineer and Identity Specialist Curity AB mark.dobrinic@curity.io www.curity.io
- [scim] Escape search filter values Mark Dobrinic
- [scim] Fwd: Escape search filter values Mark Dobrinic
- Re: [scim] Fwd: Escape search filter values Phil Hunt
- Re: [scim] Fwd: Escape search filter values Mark Dobrinic