ldaptive: Escape/encode argument to FormatDnResolver.format()

GoogleCodeExporter commented 8 years ago

What steps will reproduce the problem?

1. FormatDnResolver format="uid=%1$s,ou=accounts,ou=myorg"
2. username argument "fred,ou=restricted"

Expect to see "uid=fred\,ou\=restricted,ou=accounts,ou=myorg" (or hex-encoded 
equivalent).

Resulting bind DN is instead "uid=fred,ou=restricted,ou=accounts,ou=myorg" I.e. 
this is analogous to SQL injection.

What version of the product are you using? On what operating system?

Using ldaptive v1.0.1 (RedHat)

Think it a good idea to escape/encode DN special characters prior to calling 
FormatDnResolver.format()

Original issue reported on code.google.com by tfpo...@ucdavis.edu on 6 Sep 2013 at 10:22

GoogleCodeExporter commented 8 years ago

Ideas:

https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
http://docs.oracle.com/javase/7/docs/api/javax/naming/ldap/Rdn.html#escapeValue(
java.lang.Object)

Original comment by tfpo...@ucdavis.edu on 9 Sep 2013 at 1:39

GoogleCodeExporter commented 8 years ago

Original comment by dfis...@gmail.com on 9 Sep 2013 at 3:22

Changed title: ldaptive: Escape/encode argument to FormatDnResolver.format()
Changed state: Accepted

GoogleCodeExporter commented 8 years ago

Add support for escaping attribute values in LdapAttribute based on RFC 4514, 
section 2.4
Update FormatDnResolver to escape user input by default.
Fixed in r2807.

Original comment by dfis...@gmail.com on 9 Sep 2013 at 3:47

Changed state: Fixed

suesianne / vt-middleware

ldaptive: Escape/encode argument to FormatDnResolver.format() #191