From e2f4ca480db2b857f0fbf712384df84e48037847 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Thu, 24 Aug 2006 03:15:57 +0000
Subject: [PATCH] ITS#4647: error on bad filter patterns

---
 clients/tools/ldapsearch.c | 20 ++++++++++++++++++++
 doc/man/man1/ldapsearch.1  | 10 +++++++---
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
index 578bda60e6..8e0a632133 100644
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@@ -676,12 +676,32 @@ main( int argc, char **argv )
 	}
 
 	if ( infile != NULL ) {
+		int percent = 0;
+	
 		if ( infile[0] == '-' && infile[1] == '\0' ) {
 			fp = stdin;
 		} else if (( fp = fopen( infile, "r" )) == NULL ) {
 			perror( infile );
 			return EXIT_FAILURE;
 		}
+
+		for( i=0 ; filtpattern[i] ; i++ ) {
+			if( filtpattern[i] == '%' ) {
+				if( percent ) {
+					fprintf( stderr, _("Bad filter pattern \"%s\"\n"),
+						filtpattern );
+					return EXIT_FAILURE;
+				}
+
+				percent++;
+
+				if( filtpattern[i+1] != 's' ) {
+					fprintf( stderr, _("Bad filter pattern \"%s\"\n"),
+						filtpattern );
+					return EXIT_FAILURE;
+				}
+			}
+		}
 	}
 
 	if ( tmpdir == NULL ) {
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index f274fb26e4..65ed177d19 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -165,9 +165,13 @@ must be compiled with LDAP_DEBUG defined for this option to have any effect.
 .BI \-f \ file
 Read a series of lines from \fIfile\fP, performing one LDAP search for
 each line.  In this case, the \fIfilter\fP given on the command line
-is treated as a pattern where the first occurrence of \fB%s\fP is
-replaced with a line from \fIfile\fP.  If \fIfile\fP is a single \fI-\fP
-character, then the lines are read from standard input.
+is treated as a pattern where the first and only occurrence of \fB%s\fP
+is replaced with a line from \fIfile\fP.  Any other occurence of the
+the \fB%\fP character in the pattern will be regarded as an error.
+Where it is desired that the search filter include a \fB%\fP character,
+the character should be encoded as \fB\\25\fP (see RFC 4515).
+If \fIfile\fP is a single
+\fI-\fP character, then the lines are read from standard input.
 .TP
 .B \-x 
 Use simple authentication instead of SASL.
-- 
2.39.5