Re: escaping strings in DN

[Erik Thiele <erik@thiele-hydraulik.de>]

Michael Ströder <michael@stroeder.com> wrote:
> Erik Thiele wrote:
> > Michael Ströder <michael@stroeder.com> wrote:
> >>Erik Thiele wrote:
> >>
> >>>i just started typing this code:
> >>>
> >>>ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
> >>>
> >>>(it is C, the + is just for simplification)
> >>>
> >>>i think this is a security problem, as the user can type the
> >>>"victim" in an edit field. for example he can do:
> >>>
> >>>victim="paul,foo=bar,i=you,he=she"
> >>>
> >>>and creates effects not intended by the programmer.
> >>
> >>Every application is responsible for validating its input according to
> >>local definitions and security policy.
> > 
> >>>i don't find a
> >>>ldap_escape_string
> >>>function.
> >>
> >>Just calling an escape function is not a substitution for checking
> >>input.
> >>
> >>This is not specific to OpenLDAP though...
> > 
> > this is not true.
> > 
> > every other library handling with this kind of problem provides an
> > escape routine. examples:
> > 
> > - url_escape (for passing parameters to PHP scripts)
> > - pg_escape (for SQL queries in postgresql database library)
> > - shell_escape (for escaping strings making them safe to be passed to
> >   the shell)
> 
> Ok, if you're only worrying about escaping special LDAP filter chars when 
> using uid as search attribute then read RFC2254 on how to construct 
> syntactically correct LDAP filters.
> 
> Note that it is definitely more secure to exactly validate the user's input 
> since creating the search filter is not the only action you're doing with 
> this user's input.

that's for sure. but i need a secure way to pass __anything__ into an
ldap search filter.

> In Python it looks like this (grabbed from python-ldap's CVS version):
> 
> def escape_filter_chars(assertion_value):
>    """
>    Replace all special characters found in assertion_value
>    by quoted notation
>    """
>    s = assertion_value.replace('\\', r'\5c')
>    s = s.replace(r'*', r'\2a')
>    s = s.replace(r'(', r'\28')
>    s = s.replace(r')', r'\29')
>    s = s.replace('\x00', r'\00')
>    return s
> 
> > the ldap library really should provide the ldap_escape routine.
> 
> More specific you mean escaping for values added to LDAP search filters.

yes that's true, as in your LDAP library,
the actual data transfer works with the Ber* stuff.
are the rules in the above python escape code sufficient?
for example if i search for some binary data like the content of
a jpeg image? or aren't they, and the current python implementation
is insecure? if so, please submit a bug report :-)

please schedule adding a ldap_search_escapestring function.
i will work with my own version, until the new function is available.
until then, all LDAP libraries on top of your C-API will have their
own escaping function. (like the python module)

cu & thanks very much
Erik

-- 
Erik Thiele