directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: Problems with preventing LDAP injection
Date Tue, 29 Sep 2009 16:17:37 GMT
*PLEASE*,

do *NOT* cross post on many mailing list !!!


satish gutta wrote:
> To prevent attacks we scan our LDAP queries for special characters and
> replace them with respective unicode values,
>
> we use the following code
>
> public static final String escapeLDAPSearchFilter(String filter) {
>
>  if(filter==null){
>  return filter;
>  }
>      StringBuffer sb = new StringBuffer();
>         for (int i = 0; i < filter.length(); i++) {
>             char curChar = filter.charAt(i);
>             switch (curChar) {
>                 case '\\':
>                     sb.append("\\5c");
>                     break;
>                 case '(':
>                     sb.append("\\28");
>                     break;
>                 case ')':
>                     sb.append("\\29");
>                     break;
>                 case '\'':
>                     sb.append("\\27");
>                     break;
>                 case '\u0000':
>                     sb.append("\\00");
>                     break;
>                 default:
>                     sb.append(curChar);
>             }
>         }
>         if(logger.isDebugEnabled()){
>          logger.debug("LDAP injection escape search filter String
> ################# : " +sb.toString());
>         }
>         return sb.toString();
>     }
>
> if we query using the following string  '(G*'
>
> our code above successfully returns this '\28G*'
>
> and  further querying LDAP results in the following exception
>
> 'javax.naming.NamingException: [LDAP: error code 80 - OTHER: failed for
> SearchRequest
>         baseDn :
> '0.9.2342.19200300.100.1.25=portal,0.9.2342.19200300.100.1.25=osc,0.9.2342.19200300.100.1.25=state,0.9.2342.19200300.100.1.25=ny,0.9.2342.19200300.100.1.25=us'
>         filter :
> '(&:[9223372036854775807](2.5.4.0=portaluser:[9223372036854775807])(&:[9223372036854775807](2.16.840.1.113730.3.2.2.1.12=(g*:[9223372036854775807])(2.16.840.1.113730.3.2.2.1.18=0:[9223372036854775807])))'
>         scope : whole subtree
>         typesOnly : false
>         Size Limit : no limit
>         Time Limit : 601
>         Deref Aliases : never Deref Aliases
>         attributes : 'objectclass', 'cn', 'uid', 'objectclass',
> 'javaserializeddata', 'javaclassname', 'javafactory', 'javacodebase',
> 'javareferenceaddress', 'javaclassnames', 'javaremotelocation'
> : Unclosed group near index 5
> ^(g.*
>
> Please let us know if this is a APACHE DS issue or we are missing something
> ?
>
> Your help in this regard is greatly appreciated.
>
>   


-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message