[Date Prev][Date Next]
Re: (ITS#6461) back-sql quote characters in query
I have made a patch for this problem.
2011-03-10 2:37 GMT+09:00 Howard Chu <email@example.com>:
> firstname.lastname@example.org wrote:
>> Can confirm this with openldap 2.4.24.
> Thanks, the bug was already confirmed.
>> Using ldap search filters like this:
>> (cn=blabla' or '1'='1)
>> is at least causing my postgres to eat all CPU cycles it can get (LDAP
>> data is based on complex view). I do not have write access enabled for
>> that particular openLDAP installation, but I also assume that SQL
>> Injection is possible. Beside being an obviuos malfunction, this should
>> be considered a security issue.
> As the bug status says, "patches welcome." back-sql is not a priority for
> any of the core developers.