On Thu, 22 May 2003 08:37:56 +0200 Michael Ströder <michael@stroeder.com> wrote:
Erik Thiele wrote:
i just started typing this code:
ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
(it is C, the + is just for simplification)
i think this is a security problem, as the user can type the "victim" in an edit field. for example he can do:
victim="paul,foo=bar,i=you,he=she"
and creates effects not intended by the programmer.
Every application is responsible for validating its input according to local definitions and security policy.
what definitions ?
what policy ?
Your security policy.
(see below)
i don't find a ldap_escape_string function.
Just calling an escape function is not a substitution for checking input.
This is not specific to OpenLDAP though...
this is not true.
every other library handling with this kind of problem provides an escape routine. examples:
- url_escape (for passing parameters to PHP scripts) - pg_escape (for SQL queries in postgresql database library) - shell_escape (for escaping strings making them safe to be passed to the shell)
In Python it looks like this (grabbed from python-ldap's CVS version):
def escape_filter_chars(assertion_value):
"""
Replace all special characters found in assertion_value
by quoted notation
"""
s = assertion_value.replace('\\', r'\5c')
s = s.replace(r'*', r'\2a')
s = s.replace(r'(', r'\28')
s = s.replace(r')', r'\29')
s = s.replace('\x00', r'\00')
return sthe ldap library really should provide the ldap_escape routine.
More specific you mean escaping for values added to LDAP search filters.
Ciao, Michael.