Re: escaping strings in DN

[Michael Ströder <michael@stroeder.com>]

Erik Thiele wrote:
> Michael Ströder <michael@stroeder.com> wrote:
>
> > Erik Thiele wrote:
> >
> > > Michael Ströder <michael@stroeder.com> wrote:
> > >
> > > > Erik Thiele wrote:
> > > > > ldap_simple_bind_s ("uid="+victim+",ou=People,dc=mine", pass);
> >
> > Ok, if you're only worrying about escaping special LDAP filter chars when 
> > using uid as search attribute then read RFC2254 on how to construct 
> > syntactically correct LDAP filters.

Sorry, misread your posting:
RFC2253 (DN string representation) is relevant here.

> are the rules in the above python escape code sufficient?
> for example if i search for some binary data like the content of
> a jpeg image? or aren't they, and the current python implementation
> is insecure?

As I said: If escaping special chars before passing user's input to a 
back-end is your only security mechanism I would consider your application 
to be highly flawed.

1. Strictly validate user's input according to
2. Optionally massage user's input
3. Pre-process user's input to form syntactically correct parameters
   (e.g. escapge special chars)
4. Pass pre-processed input to back-end.

Ciao, Michael.