directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Li, Jiajia" <jiajia...@intel.com>
Subject RE: KerberosString
Date Wed, 30 Dec 2015 06:32:36 GMT
Thanks Emmanuel for finding and fixing this issue. Checking the String injected into the KerberosString
based on RFC is important.

Jiajia

-----Original Message-----
From: Emmanuel L├ęcharny [mailto:elecharny@gmail.com] 
Sent: Tuesday, December 29, 2015 4:53 PM
To: kerby@directory.apache.org
Subject: KerberosString

Hi,

looking at teh KerberosString class, I think it's not doing the job it's suppose to do.

Kerberos String is a restricted version of the ASN.1 GeneralString, limiting the chars that
can be used to the ASCII sub-set (ie, 0x00..0x7F).

There is no control whatsoever on the value you can inject into a KerberosString, and this
is extremely dangerous from a interropability POV.

IMO, we shuld override the methods that inject data into a KerberosString to enforce this
mimitation.

There are more things I'd like to say about the Asn1String class, but I'll submit another
mail later !

Thanks !
Mime
View raw message