[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6461) back-sql quote characters in query

atze_80@web.de wrote:
> Can confirm this with openldap 2.4.24.

Thanks, the bug was already confirmed.
> Using ldap search filters like this:
> (cn=blabla' or '1'='1)
> is at least causing my postgres to eat all CPU cycles it can get (LDAP
> data is based on complex view). I do not have write access enabled for
> that particular openLDAP installation, but I also assume that SQL
> Injection is possible. Beside being an obviuos malfunction, this should
> be considered a security issue.

As the bug status says, "patches welcome." back-sql is not a priority for any 
of the core developers.
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/