[Date Prev][Date Next]
Re: escaping strings in DN
Erik Thiele wrote:
On Thu, 22 May 2003 08:37:56 +0200
Michael Ströder <email@example.com> wrote:
Erik Thiele wrote:
i just started typing this code:
ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
(it is C, the + is just for simplification)
i think this is a security problem, as the user can type the
"victim" in an edit field. for example he can do:
and creates effects not intended by the programmer.
Every application is responsible for validating its input according to
local definitions and security policy.
what definitions ?
Your local directory specifications defining what an uid attribute value in
your environment is allowed to look like. E.g. written down in the very same
document which defines your base DN ou=People,dc=mine.
what policy ?
Your security policy.
i don't find a
Just calling an escape function is not a substitution for checking
This is not specific to OpenLDAP though...
this is not true.
every other library handling with this kind of problem provides an
escape routine. examples:
- url_escape (for passing parameters to PHP scripts)
- pg_escape (for SQL queries in postgresql database library)
- shell_escape (for escaping strings making them safe to be passed to
Ok, if you're only worrying about escaping special LDAP filter chars when
using uid as search attribute then read RFC2254 on how to construct
syntactically correct LDAP filters.
Note that it is definitely more secure to exactly validate the user's input
since creating the search filter is not the only action you're doing with
this user's input.
In Python it looks like this (grabbed from python-ldap's CVS version):
Replace all special characters found in assertion_value
by quoted notation
s = assertion_value.replace('\\', r'\5c')
s = s.replace(r'*', r'\2a')
s = s.replace(r'(', r'\28')
s = s.replace(r')', r'\29')
s = s.replace('\x00', r'\00')
the ldap library really should provide the ldap_escape routine.
More specific you mean escaping for values added to LDAP search filters.