[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: escaping strings in DN

Erik Thiele wrote:
On Thu, 22 May 2003 08:37:56 +0200
Michael Ströder <michael@stroeder.com> wrote:

Erik Thiele wrote:

i just started typing this code:

ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);

(it is C, the + is just for simplification)

i think this is a security problem, as the user can type the
"victim" in an edit field. for example he can do:


and creates effects not intended by the programmer.

Every application is responsible for validating its input according to local definitions and security policy.

what definitions ?

Your local directory specifications defining what an uid attribute value in your environment is allowed to look like. E.g. written down in the very same document which defines your base DN ou=People,dc=mine.

what policy ?

Your security policy.

(see below)

i don't find a

Just calling an escape function is not a substitution for checking input.

This is not specific to OpenLDAP though...

this is not true.

every other library handling with this kind of problem provides an
escape routine. examples:

- url_escape (for passing parameters to PHP scripts)
- pg_escape (for SQL queries in postgresql database library)
- shell_escape (for escaping strings making them safe to be passed to
  the shell)

Ok, if you're only worrying about escaping special LDAP filter chars when using uid as search attribute then read RFC2254 on how to construct syntactically correct LDAP filters.

Note that it is definitely more secure to exactly validate the user's input since creating the search filter is not the only action you're doing with this user's input.

In Python it looks like this (grabbed from python-ldap's CVS version):

def escape_filter_chars(assertion_value):
  Replace all special characters found in assertion_value
  by quoted notation
  s = assertion_value.replace('\\', r'\5c')
  s = s.replace(r'*', r'\2a')
  s = s.replace(r'(', r'\28')
  s = s.replace(r')', r'\29')
  s = s.replace('\x00', r'\00')
  return s

the ldap library really should provide the ldap_escape routine.

More specific you mean escaping for values added to LDAP search filters.

Ciao, Michael.