[Freeipa-devel] [PATCH 0019] Add proper DN escaping before LDAP library calls
Petr Spacek
pspacek at redhat.com
Wed May 9 12:37:16 UTC 2012
On 05/09/2012 02:17 PM, Adam Tkac wrote:
> On 05/09/2012 02:11 PM, Petr Spacek wrote:
>> On 05/09/2012 01:24 PM, Adam Tkac wrote:
>>> On 05/03/2012 03:46 PM, Petr Spacek wrote:
>>>> On 05/03/2012 11:25 AM, Petr Spacek wrote:
>>>>> Hello,
>>>>>
>>>>> this patch adds missing DNS->LDAP escaping conversion. It's necessary to
>>>>> prevent (potential) LDAP injection attacks in future.
>>>>>
>>>>> Code isn't very nice, because DNS users decimal escaping \123, LDAP uses
>>>>> hexadecimal escaping \ab and set of escaped characters is smaller in DNS
>>>>> than
>>>>> in LDAP.
>>>>>
>>>>> Any improvements are welcome.
>>>>>
>>>>> Petr^2 Spacek
>>>>
>>>> Here is second version of the patch.
>>>>
>>>> Changes:
>>>> - comments
>>>> - order of [._-] in if()
>>>> - function was renamed to dns_to_ldap_dn_escape()
>>>>
>>>> Escaping logic itself wasn't changed.
>>>
>>> Hello Peter,
>>>
>>> please check my comments inside the patch.
>> Oh, I feel so ashamed. All errors were corrected, see attachment.
>>
>> Petr^2 Spacek
> Ack, please push it to master.
Pushed with minor change as discussed on IRC: log_error() was substituted by
REQUIRE().
https://fedorahosted.org/bind-dyndb-ldap/changeset/3d43fd66aa68ef275855391a94e47e9d2f30309d
Petr^2 Spacek
>>
>>>
>>> Regards, Adam
>>>
>>>>
>>>> Petr^2 Spacek
>>>>
>>>> bind-dyndb-ldap-pspacek-0019-2-Add-proper-DN-escaping-before-LDAP-library-calls.patch
>>>>
>>
>> bind-dyndb-ldap-pspacek-0019-3-Add-proper-DN-escaping-before-LDAP-library-calls.patch
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0019-4-Add-proper-DN-escaping-before-LDAP-library-calls.patch
Type: text/x-patch
Size: 6872 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120509/f250b116/attachment.bin>
More information about the Freeipa-devel
mailing list