[Date Prev][Date Next]
Full_Name: Erik Thiele
Submission from: (NULL) (22.214.171.124)
as just discussed on openldap-software mailinglist:
Michael Ströder <firstname.lastname@example.org> wrote:
> Erik Thiele wrote:
> > Michael Ströder <email@example.com> wrote:
> >>Erik Thiele wrote:
> >>>i just started typing this code:
> >>>ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
> >>>(it is C, the + is just for simplification)
> >>>i think this is a security problem, as the user can type the
> >>>"victim" in an edit field. for example he can do:
> >>>and creates effects not intended by the programmer.
> >>Every application is responsible for validating its input according to
> >>local definitions and security policy.
> >>>i don't find a
> >>Just calling an escape function is not a substitution for checking
> >>This is not specific to OpenLDAP though...
> > this is not true.
> > every other library handling with this kind of problem provides an
> > escape routine. examples:
> > - url_escape (for passing parameters to PHP scripts)
> > - pg_escape (for SQL queries in postgresql database library)
> > - shell_escape (for escaping strings making them safe to be passed to
> > the shell)
> Ok, if you're only worrying about escaping special LDAP filter chars when
> using uid as search attribute then read RFC2254 on how to construct
> syntactically correct LDAP filters.
> Note that it is definitely more secure to exactly validate the user's input
> since creating the search filter is not the only action you're doing with
> this user's input.
that's for sure. but i need a secure way to pass __anything__ into an
ldap search filter.
> In Python it looks like this (grabbed from python-ldap's CVS version):
> def escape_filter_chars(assertion_value):
> Replace all special characters found in assertion_value
> by quoted notation
> s = assertion_value.replace('\\', r'\5c')
> s = s.replace(r'*', r'\2a')
> s = s.replace(r'(', r'\28')
> s = s.replace(r')', r'\29')
> s = s.replace('\x00', r'\00')
> return s
> > the ldap library really should provide the ldap_escape routine.
> More specific you mean escaping for values added to LDAP search filters.
yes that's true, as in your LDAP library,
the actual data transfer works with the Ber* stuff.
are the rules in the above python escape code sufficient?
for example if i search for some binary data like the content of
a jpeg image? or aren't they, and the current python implementation
is insecure? if so, please submit a bug report :-)
please schedule adding a ldap_search_escapestring function.
i will work with my own version, until the new function is available.
until then, all LDAP libraries on top of your C-API will have their
own escaping function. (like the python module)
cu & thanks very much