[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: escaping strings in DN



On Thu, 22 May 2003 08:37:56 +0200
Michael Ströder <michael@stroeder.com> wrote:

> Erik Thiele wrote:
> > 
> > i just started typing this code:
> > 
> > ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
> > 
> > (it is C, the + is just for simplification)
> > 
> > i think this is a security problem, as the user can type the
> > "victim" in an edit field. for example he can do:
> > 
> > victim="paul,foo=bar,i=you,he=she"
> > 
> > and creates effects not intended by the programmer.
> 
> Every application is responsible for validating its input according to
> local definitions and security policy.

what definitions ?
what policy ?
(see below)

> > i don't find a
> > ldap_escape_string
> > function.
> 
> Just calling an escape function is not a substitution for checking
> input.
> 
> This is not specific to OpenLDAP though...

this is not true.

every other library handling with this kind of problem provides an
escape routine. examples:

- url_escape (for passing parameters to PHP scripts)
- pg_escape (for SQL queries in postgresql database library)
- shell_escape (for escaping strings making them safe to be passed to
  the shell)

etc. etc.

example code:

sql.query("select * from foo where name = '" + pg_escape(searchname) + "'");
www.download("http://www.foo.org/blabla.php?username="; + url_escape(searchname));
system("sh -c echo the username safely is " + shell_escape(searchname));

in all these cases there is no security risk and the "searchname"
parameter is always correctly escaped the way the corresponding
system needs it.

but with LDAP i am left on my own. how shall i know how i must escape the
string correctly? the library must do this!

look:

ldap.query("ou=People,dc=foo,dc=bar", "username=" + ldap_escape(searchname));

the ldap library really should provide the ldap_escape routine.
otherwise i have to write my own. but the rules i follow when writing it
are coded in the RFC or otherwise standard of ldap query syntax.

it is not right to let the user do this work. it must definitly be done in
the ldap library.

what happens today is

1) users don't do the check and open a security hole
2) users do the check, but they do too much restrictions just because
   they are not sure, what is allowed and what not and how to escape.
   (for example, my own ldap_escape routine will just allow a-z, A-Z)
3) they use some other escape routine like url_escape because they
   think it might be appropriate. but is it really?


it should not be up to the programmer to limit the entries the end-user can enter
in the edit field if the programmer doesn't even know what is allowed and
what not (like me). on the other hand it's always the same work to be done.
and it is LDAP specific. so it belongs in the library.



cu & thx
Erik

-- 
Erik Thiele