IETF Logo Mail Archive

[scim] Fwd: Escape search filter values

Mark Dobrinic <mark.dobrinic@curity.io> Mon, 05 November 2018 08:50 UTC

Return-Path: <mark.dobrinic@curity.io>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8745F129AB8 for <scim@ietfa.amsl.com>; Mon, 5 Nov 2018 00:50:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCyJ15yTcPK6 for <scim@ietfa.amsl.com>; Mon, 5 Nov 2018 00:50:24 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48D561274D0 for <scim@ietf.org>; Mon, 5 Nov 2018 00:50:24 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id s15-v6so7257099lji.3 for <scim@ietf.org>; Mon, 05 Nov 2018 00:50:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ChYeGmLBSOXQAQ13oyM2l8IjveE0tQQmpIJnf056qzE=; b=CE/K5zFStelqt+vq4gmpoobd09qP+tXiV8UpeEY7jOKay4404GQF56AON+0sVd7NxR lKAYh8lfn7YUaghRiXn42UFeeA+7hH+GmCYykcAYt5t7/5GoK+lJFqjIA5hohs001cJm 4Ia0v+CQj6Lbb+jEtt2trTbNum+hlXRUuVrNScCbPT3yHL63ZmgcjF2J7PkXZgqLnxs7 z+VKvV0pCDYLg+QJ/fXIs9eoUqKWrIuAljfKG3pyAFYJ13J9DwJFPSNqNJeBoHC9BiHL puH5G5Z7j0w0fcqclnJlGhz/8J8QkSZ/JuVRaZXOBsPGHrFaLR7XSQU+HyfWZ1FeLNZL Wl6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ChYeGmLBSOXQAQ13oyM2l8IjveE0tQQmpIJnf056qzE=; b=l5mOc6rTQtlHMDHUJ8Dzqjc0aHTJjUF8kbTOmoE7w8Z2a7AUomasNaBjxVlxLQO8O1 mR+ELCkcThsMbNtHtfXHTFVuS6M+rBMlUoBMSezB1OJjVzmVx9/DZX3i54roW6HHBWW3 0urYLoSdeo/wGi2GGIils7JPwDLRbvlRRH46hfyLojnRHdyUe0P9mW2uBbJdFqOF2Ei4 F9Xhb7yPJtizzyHmzEgpAoFiJrvU+XoasfpjMoeTA+K0KIhke3On/qaZubf/D3/q2bex ju03p1Hj6ZJxaYXQ+7NcUI8S0H6gUVDe5/uHvSxohwn+5QVqm5jt+cswa5PR2xMFyKCn aI9Q==
X-Gm-Message-State: AGRZ1gI/RmeeJZlnDNXhqX9OWgO0lfRlY4nJ80UDpOrETF/lj5z3hgs7 b5wx34JM/YE4Lr9f6Dz/qZpSMESlitg=
X-Google-Smtp-Source: AJdET5cQGwTD9QbEOx6cQH7dXzUz2V+Y2gYH62XDachYcl6qx5IPZzhFoAW2kkjJ97bG/NtY3O/4DA==
X-Received: by 2002:a2e:83d7:: with SMTP id s23-v6mr10610234ljh.139.1541407822135; Mon, 05 Nov 2018 00:50:22 -0800 (PST)
Received: from speedyM.local ([2a02:a446:bd2c:1:d5c8:d252:a73e:8ff6]) by smtp.gmail.com with ESMTPSA id g72-v6sm6784655lfl.21.2018.11.05.00.50.20 for <scim@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Nov 2018 00:50:21 -0800 (PST)
References: <370d231f-1041-5d28-f097-38882481a256@curity.io>
To: scim@ietf.org
From: Mark Dobrinic <mark.dobrinic@curity.io>
X-Forwarded-Message-Id: <370d231f-1041-5d28-f097-38882481a256@curity.io>
Message-ID: <b5a522c1-afb1-aa6d-e37a-2ab1b4c0db58@curity.io>
Date: Mon, 05 Nov 2018 09:50:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <370d231f-1041-5d28-f097-38882481a256@curity.io>
Content-Type: multipart/alternative; boundary="------------1DA79CA7DA9FAADF6DF84230"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/dQNZvyNJTCkwfu8duXLGf1tP2Ik>
Subject: [scim] Fwd: Escape search filter values
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 08:50:30 -0000

Hi guys,

have posted this question a month ago and didn't get a follow up.
Anybody has thoughts on it?

Thanks,

Mark


-------- Forwarded Message --------
Subject: 	Escape search filter values
Date: 	Wed, 3 Oct 2018 17:37:07 +0200
From: 	Mark Dobrinic <mark.dobrinic@curity.io>
To: 	scim@ietf.org



Hi scim,

I've got a question on how to escape values that are part of the search
filter query in scim 2.

For example, when sending out a search request for a user with a
password, we're posting a JSON-message like this to our SCIM server:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\secret\""
}

But when the password contains control characters, like a double-quote
(") or backslash (\), what should we send to the other end?

For now, we've been following the JSON approach, and are JSON-escaping
the values inside the filter, such that when the password would be
'sec"ret', the JSON-message as it would be sent over becomes:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\""
}

... but I could not find out how to deal with this in the spec.

What do you think is the right thing to do here?


-- 
Regards,

Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB

mark.dobrinic@curity.io
www.curity.io

v2.23.0 | Report a Bug | By Email