[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6461) back-sql quote characters in query

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6461) back-sql quote characters in query
From: akagisho@gmail.com
Date: Tue, 10 Mar 2015 01:58:24 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

I have made a patch for this problem.

https://gist.github.com/akagisho/0d0d148c94616b84a513

2011-03-10 2:37 GMT+09:00 Howard Chu <hyc@symas.com>:
> atze_80@web.de wrote:
>>
>> Can confirm this with openldap 2.4.24.
>
>
> Thanks, the bug was already confirmed.
>>
>>
>> Using ldap search filters like this:
>>
>> (cn=blabla' or '1'='1)
>>
>> is at least causing my postgres to eat all CPU cycles it can get (LDAP
>> data is based on complex view). I do not have write access enabled for
>> that particular openLDAP installation, but I also assume that SQL
>> Injection is possible. Beside being an obviuos malfunction, this should
>> be considered a security issue.
>
>
> As the bug status says, "patches welcome." back-sql is not a priority for
> any of the core developers.

Prev by Date: Re: (ITS#8070) test023 failures
Next by Date: Re: (ITS#7145) cn=Connection 0
Index(es):
- Chronological
- Thread