httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: LDAP escaping question
Date Wed, 03 Feb 2016 19:19:50 GMT
Arg, mis-clicked.

On Wed, Feb 3, 2016 at 2:17 PM, Eric Covener <covener@gmail.com> wrote:
> I am looking at an old block of code in mod_authnz_ldap that seems to
> have been there since it was imported.  We do some escaping of the
> HTTP basic auth username before copying it into a filter.
>
>     for (p = user, q=filtbuf + len;
>          *p && q < filtbuf_end; *q++ = *p++) {
>         if (strchr("*()\\", *p) != NULL) {
>             *q++ = '\\';
>             if (q >= filtbuf_end) {
>               break;
>             }
>         }
>     }
>
>
> But neither http://tools.ietf.org/html/rfc4514 nor
http://tools.ietf.org/html/rfc2253

Actually allow *() to be escaped in this way. Those specs both require
\xx escaping (they allow
different sets of characters to be escaped with \, including \ in both versions)

Anyone around that remembers how this set of characters and the \
escaping were chosen?

Mime
View raw message