Grouper Developers Forum

[dan <>]

And if nothing else, it would prevent the user from being surprised by strange behaviour when they accidentally insert an '=' or ')' or '*' into their query string. 

I would recommend using this code, or something like it: 

http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

Cheers,
Dan

On 1/24/07, Jim Fox <> wrote:

> > And while I'm at it - does anyone else consider it a security flaw that
> > Grouper naively interpolates the string into a query? In my experience
> > this has been one of the BIG no-nos of web application development.
> >
> > One could easily type a query that closes the open brace around a search
> > term and inserts additional terms into queries that expose additional
> > information or breaks the system in other ways.
>
> Information exposure should be managed by the access controls in the
> ldap server. Likewise, administrative limits configured in the ldap
> server should protect it from other potential breakage. But it's still a
> good question. I haven't heard of issues of this sort arising
> specifically in relation to accessing info in an ldap server - anyone else?
>

I agree with Dan that it is very bad policy to not parse form input
when it is received.  At least filter invalid characters.

Jim