[Date Prev][Date Next]
RE: ITS#1998, zero-length attr vals
> -----Original Message-----
> From: Andrew Findlay [mailto:firstname.lastname@example.org]
> Don't forget that someone might deliberately encode some
> character in more bytes than are necessary in order to attack the
> server by breaking the normalisation. This was the basis for one of
> the big attacks on the IIS webserver, which is still on the SANS
> Top-20 Internet security problems list.
> Procedures in libraries/libldap/utf-8.c appear to block over-length
> encodings, but there is a comment in libraries/libldap/utf-8-conv.c
> that says:
> This code does not prevent UTF-8 sequences which are longer than
> necessary from being decoded.
> In spite of that, they do seem to protect themselves by calling
> LDAP_UTF8_CHARLEN2 and checking for zero returns.
All the code has been updated but that comment wasn't. I guess that sentence
be deleted now. At any rate, the code in utf-8-conv.c is unused, but
has been updated to reject illegal encodings.
> What I cannot quickly work out is whether UTF8StringNormalize (in
> servers/slapd/schema_init.c) is only called on strings that have been
> sanitised by one of the library procedures. If not, then there is
> potential for trouble.
Strings passed to UTF8StringNormalize have been checked by
and the encodings are checked there. Illegal encodings are rejected by the
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support