grouper-dev - Re: [grouper-dev] Re: Grouper search not working
Subject: Grouper Developers Forum
List archive
- From: Jim Fox <>
- To: Tom Barton <>
- Cc: dan <>, "" <>
- Subject: Re: [grouper-dev] Re: Grouper search not working
- Date: Tue, 23 Jan 2007 21:35:22 -0800 (Pacific Standard Time)
> > And while I'm at it - does anyone else consider it a security flaw that
> > Grouper naively interpolates the string into a query? In my experience
> > this has been one of the BIG no-nos of web application development.
> >
> > One could easily type a query that closes the open brace around a search
> > term and inserts additional terms into queries that expose additional
> > information or breaks the system in other ways.
>
> Information exposure should be managed by the access controls in the
> ldap server. Likewise, administrative limits configured in the ldap
> server should protect it from other potential breakage. But it's still a
> good question. I haven't heard of issues of this sort arising
> specifically in relation to accessing info in an ldap server - anyone else?
>
I agree with Dan that it is very bad policy to not parse form input
when it is received. At least filter invalid characters.
Jim
- Grouper search not working, dan, 01/23/2007
- Re: Grouper search not working, dan, 01/23/2007
- Re: [grouper-dev] Re: Grouper search not working, Tom Barton, 01/23/2007
- Re: [grouper-dev] Re: Grouper search not working, Jim Fox, 01/24/2007
- Re: [grouper-dev] Re: Grouper search not working, dan, 01/24/2007
- Re: [grouper-dev] Re: Grouper search not working, Tom Barton, 01/24/2007
- Re: [grouper-dev] Re: Grouper search not working, dan, 01/24/2007
- Re: [grouper-dev] Re: Grouper search not working, Jim Fox, 01/24/2007
- Re: [grouper-dev] Re: Grouper search not working, Tom Barton, 01/23/2007
- Re: [grouper-dev] Grouper search not working, Jessica Bibbee, 01/23/2007
- Re: Grouper search not working, dan, 01/23/2007
Archive powered by MHonArc 2.6.16.