Export to GitHub

vt-middleware - issue #191

ldaptive: Escape/encode argument to FormatDnResolver.format()

Posted on Sep 6, 2013 by Helpful Rabbit

What steps will reproduce the problem?

FormatDnResolver format="uid=%1$s,ou=accounts,ou=myorg"
username argument "fred,ou=restricted"

Expect to see "uid=fred,ou\=restricted,ou=accounts,ou=myorg" (or hex-encoded equivalent).

Resulting bind DN is instead "uid=fred,ou=restricted,ou=accounts,ou=myorg" I.e. this is analogous to SQL injection.

What version of the product are you using? On what operating system?

Using ldaptive v1.0.1 (RedHat)

Think it a good idea to escape/encode DN special characters prior to calling FormatDnResolver.format()

Comment #1

Posted on Sep 9, 2013 by Helpful Rabbit

Ideas:

https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java http://docs.oracle.com/javase/7/docs/api/javax/naming/ldap/Rdn.html#escapeValue(java.lang.Object)

Comment #2

Posted on Sep 9, 2013 by Grumpy Lion

(No comment was entered for this change.)

Comment #3

Posted on Sep 9, 2013 by Grumpy Lion

Add support for escaping attribute values in LdapAttribute based on RFC 4514, section 2.4 Update FormatDnResolver to escape user input by default. Fixed in r2807.

Status: Fixed

Labels:
Type-Defect Priority-Medium

Code

Archive

vt-middleware - issue #191

Comment #1

Comment #2

Comment #3