[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ITS#1998, zero-length attr vals



> -----Original Message-----
> From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk]

> Don't forget that someone might deliberately encode some
> character in more bytes than are necessary in order to attack the
> server by breaking the normalisation. This was the basis for one of
> the big attacks on the IIS webserver, which is still on the SANS
> Top-20 Internet security problems list.
>
> Procedures in libraries/libldap/utf-8.c appear to block over-length
> encodings, but there is a comment in libraries/libldap/utf-8-conv.c
> that says:

> 	This code does not prevent UTF-8 sequences which are longer than
> 	necessary from being decoded.

> In spite of that, they do seem to protect themselves by calling
> LDAP_UTF8_CHARLEN2 and checking for zero returns.

All the code has been updated but that comment wasn't. I guess that sentence
can
be deleted now. At any rate, the code in utf-8-conv.c is unused, but
everything
has been updated to reject illegal encodings.

> What I cannot quickly work out is whether UTF8StringNormalize (in
> servers/slapd/schema_init.c) is only called on strings that have been
> sanitised by one of the library procedures. If not, then there is
> potential for trouble.

Strings passed to UTF8StringNormalize have been checked by
UTF8StringValidate,
and the encodings are checked there. Illegal encodings are rejected by the
Validate
function.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support