[Date Prev][Date Next]
Re: (ITS#6461) back-sql quote characters in query
> Can confirm this with openldap 2.4.24.
Thanks, the bug was already confirmed.
> Using ldap search filters like this:
> (cn=blabla' or '1'='1)
> is at least causing my postgres to eat all CPU cycles it can get (LDAP
> data is based on complex view). I do not have write access enabled for
> that particular openLDAP installation, but I also assume that SQL
> Injection is possible. Beside being an obviuos malfunction, this should
> be considered a security issue.
As the bug status says, "patches welcome." back-sql is not a priority for any
of the core developers.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/