From b80ba3e3b41859bfc79830b726e95e457502ca00 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <simon.pichugin@gmail.com>
Date: Fri, 10 Oct 2025 10:46:45 -0700
Subject: [PATCH] Merge commit from fork

Update tests to expect \00 and verify RFC-compliant escaping

CVE: CVE-2025-61912
Upstream-Status: Backport [https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 Lib/ldap/dn.py     | 3 ++-
 Tests/t_ldap_dn.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py
index a9d9684..8d40673 100644
--- a/Lib/ldap/dn.py
+++ b/Lib/ldap/dn.py
@@ -26,7 +26,8 @@ def escape_dn_chars(s):
     s = s.replace('>' ,'\\>')
     s = s.replace(';' ,'\\;')
     s = s.replace('=' ,'\\=')
-    s = s.replace('\000' ,'\\\000')
+    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
+    s = s.replace('\x00' ,'\\00')
     if s[-1]==' ':
       s = ''.join((s[:-1],'\\ '))
     if s[0]=='#' or s[0]==' ':
diff --git a/Tests/t_ldap_dn.py b/Tests/t_ldap_dn.py
index 86d3640..7c04777 100644
--- a/Tests/t_ldap_dn.py
+++ b/Tests/t_ldap_dn.py
@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
         self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
         self.assertEqual(ldap.dn.escape_dn_chars('  '), '\\ \\ ')
         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
+        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), r'f\+o\>o\,b\<a\;r\=\"\00\"')
         self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar')
 
     def test_str2dn(self):