Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: Grouper search not working

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: Grouper search not working


Chronological Thread 
  • From: dan <>
  • To: "Jim Fox" <>
  • Cc: "Tom Barton" <>, "" <>
  • Subject: Re: [grouper-dev] Re: Grouper search not working
  • Date: Wed, 24 Jan 2007 17:20:55 +1100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=aEuXf2Z7NDlx7noCrJAHo0daebbI+20z2rF2C81UNclVMduM54yv9hTuILaAbJMLG+1Va5Papw5HY/Cz5aXx4NaNG6P3OhD4ZFoXbpNZQPWgp7qaOGhAjbYfdJrVOQrgSMy8+uEt44Q7m5K8cs4HEScbWxETOY8Y4+wKoxBaJUY=

And if nothing else, it would prevent the user from being surprised by strange behaviour when they accidentally insert an '=' or ')' or '*' into their query string.

I would recommend using this code, or something like it:

http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

Cheers,
Dan

On 1/24/07, Jim Fox <> wrote:

> > And while I'm at it - does anyone else consider it a security flaw that
> > Grouper naively interpolates the string into a query? In my experience
> > this has been one of the BIG no-nos of web application development.
> >
> > One could easily type a query that closes the open brace around a search
> > term and inserts additional terms into queries that expose additional
> > information or breaks the system in other ways.
>
> Information exposure should be managed by the access controls in the
> ldap server. Likewise, administrative limits configured in the ldap
> server should protect it from other potential breakage. But it's still a
> good question. I haven't heard of issues of this sort arising
> specifically in relation to accessing info in an ldap server - anyone else?
>

I agree with Dan that it is very bad policy to not parse form input
when it is received.  At least filter invalid characters.

Jim




Archive powered by MHonArc 2.6.16.

Top of Page