[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: escaping strings in DN

Erik Thiele wrote:

i just started typing this code:

ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);

(it is C, the + is just for simplification)

i think this is a security problem, as the user can type the "victim" in
an edit field. for example he can do:


and creates effects not intended by the programmer.

Every application is responsible for validating its input according to local definitions and security policy.

i don't find a

Just calling an escape function is not a substitution for checking input.

This is not specific to OpenLDAP though...

Ciao, Michael.