New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canoniclizing out of EncodeforLdap or EncodeForDN if contains specific characters like "(, ) #" etc. messes up the input. #293
Comments
From shilpi.a...@gmail.com on October 29, 2012 22:55:50 Same is happening for encodeForCSS - Input String - !@$%()=+{}[] Is there any way we can know when this issue will be resolved. Shilpi |
From shilpi.a...@gmail.com on September 08, 2013 23:25:42 Hi, Is there any update on this issue? Shilpi |
I think this is actually a bug. LDAP filtering syntax requires only unmatched parentheses to be escaped. I couldn't find an RFC, but this link from Microsoft has this to say:
|
@kwwall This bug is legitimate, I will take this one. |
@xeno6696 Go for it. I was thinking perhaps that '|', '&', and '!' would also need escaping for LDAP, but since it uses prefix notation for everything [e.g., "(&(objectCategory=person)(objectClass=contact)(|(sn=Wall)(sn=Seil)))"] and every sub-expression has to be fully parenthesized, I guess in hindsight, you wouldn't have to do to that extreme. If those characters were in the middle of an expression, they would just be interpreted literally. Also, were you planning on fixing the CSS encoding as well? If not, we should probably split this issue into two issues so that we can at least close the LDAP part of it. |
No... just the LDAP issue. Are we open to the idea of using parsers? Some of this stuff makes more sense (to me) to use something like JavaCC to construct an LDAP parser as opposed to the |
Not sure I’m following here — we’re canonicalizing to make sure that encoded attacks can’t sneak through validation to reach an interpreter. We should decode for all possible downstream interpreters (this is hard). And sometimes that means that we will have encoding scheme collisions that prevent the use of certain constructs in the data. I don’t know what you have in mind for the parser, but it seems dangerous to me as we wouldn’t be able to match the behavior of all the parsers in all the implementations of these interpreters. We can’t rely on the BNF because many parsers are written by crazy people, particularly the ones in browsers. But these parsers go to great lengths to accommodate malformed data that doesn’t match any spec. --Jeff From: Matt Seil <notifications@github.commailto:notifications@github.com> No... just the LDAP issue. Are we open to the idea of using parsers? Some of this stuff makes more sense (to me) to use something like JavaCC to construct an LDAP parser as opposed to the char array searches we seem to be using. — |
@planetlevel I've heard rumors that ESAPI was also written by a bunch of crazy people. :) |
So @planetlevel and @kwwall what's the final direction on this one? |
Sorry, this got lost in all my other emails. In theory you probably could write a regex to recognize valid Overall though, I'm not sure this is really an issue. I mean, Again, sorry so late for providing feedback. kevin |
@kwwall I thought I saw a new pull request fixing this 1-2months back. Shall we close? |
Well, we shouldn't close it until the PR has been closed. If you want to
get the PR for this and then merge it, then we can close this.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jun 18, 2017 18:55, "Matt Seil" ***@***.***> wrote:
@kwwall <https://github.com/kwwall> I thought I saw a new pull request
fixing this 1-2months back. Shall we close?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#293 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nmwlT7bgU_YrySLNWTzjeT1j6z5SZks5sFarhgaJpZM4C6zDO>
.
|
Just make sure that there are new JUnit tests to cover these cases though.
Thanks,
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jun 18, 2017 18:55, "Matt Seil" <notifications@github.com> wrote:
@kwwall <https://github.com/kwwall> I thought I saw a new pull request
fixing this 1-2months back. Shall we close?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#293 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nmwlT7bgU_YrySLNWTzjeT1j6z5SZks5sFarhgaJpZM4C6zDO>
.
|
This one isn't the same as #389 |
For all I wrote, this isn't actually a bug. Rereading the OP:
Had I paid a bit more attention here, his complaint is that he'll encode it, and then it gets transformed later when canonicalize scans it and identifies it as a JavaScript character. In short, he's not using the encoder correctly here. He should be encoding input just before he hands it off to the LDAP interpreter. He should be storing the encoded value or otherwise using it. This isn't a bug, I am closing. |
From shilpi.a...@gmail.com on September 28, 2012 07:16:09
What steps will reproduce the problem? I can do EncodeForLdap and EncodeForDN however the output when passed through canonicalize, is garbage.
Try using test string - "Hi (This) ="
Here "(" is converted to \28 on encoding. On decoding it gets converted to Character 2 which is stx i.e. nothing. What is the expected output? What do you see instead? Input string before encoding should be returned What version of the product are you using? On what operating system? 2.0.1 Does this issue affect only a specified browser or set of browsers? all browsers Please provide any additional information below. I can do EncodeForLdap and EncodeForDN however the output when passed through canonicalize, is garbage.
Try using test string - "Hi (This) ="
Here "(" is converted to \28 on encoding. On decoding it gets converted to Character 2 which is stx i.e. nothing.
Please help.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=287
The text was updated successfully, but these errors were encountered: