chingfeng / vt-middleware

Automatically exported from code.google.com/p/vt-middleware
0 stars 0 forks source link

ldaptive: Escape/encode argument to FormatDnResolver.format() #191

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

1. FormatDnResolver format="uid=%1$s,ou=accounts,ou=myorg"
2. username argument "fred,ou=restricted"

Expect to see "uid=fred\,ou\=restricted,ou=accounts,ou=myorg" (or hex-encoded 
equivalent).

Resulting bind DN is instead "uid=fred,ou=restricted,ou=accounts,ou=myorg" I.e. 
this is analogous to SQL injection.

What version of the product are you using? On what operating system?

Using ldaptive v1.0.1 (RedHat)

Think it a good idea to escape/encode DN special characters prior to calling 
FormatDnResolver.format()

Original issue reported on code.google.com by tfpo...@ucdavis.edu on 6 Sep 2013 at 10:22

GoogleCodeExporter commented 8 years ago
Ideas:

https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
http://docs.oracle.com/javase/7/docs/api/javax/naming/ldap/Rdn.html#escapeValue(
java.lang.Object)

Original comment by tfpo...@ucdavis.edu on 9 Sep 2013 at 1:39

GoogleCodeExporter commented 8 years ago

Original comment by dfis...@gmail.com on 9 Sep 2013 at 3:22

GoogleCodeExporter commented 8 years ago
Add support for escaping attribute values in LdapAttribute based on RFC 4514, 
section 2.4
Update FormatDnResolver to escape user input by default.
Fixed in r2807.

Original comment by dfis...@gmail.com on 9 Sep 2013 at 3:47