Grouper Developers Forum

[Tom Barton <>]

Thanks. In thinking and talking with a few others about this a bit, I 
think the right place to implement validation checks for Subject search 
terms is in each Subject SourceAdapter provider, because only they know 
the back-end technology the search term is bound for. The UI doesn't, 
the API doesn't.

So, this goes on the list for Subject v1.0. I'm CCing the signet-dev 
list on this message so that this issue gets recorded in the right place.

Tom

dan wrote:
> And if nothing else, it would prevent the user from being surprised by 
> strange behaviour when they accidentally insert an '=' or ')' or '*' 
> into their query string.
>
> I would recommend using this code, or something like it:
>
> http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
>
> Cheers,
> Dan
>
> On 1/24/07, *Jim Fox* < <mailto:>> 
> wrote:
>
>
>      > > And while I'm at it - does anyone else consider it a security
>     flaw that
>      > > Grouper naively interpolates the string into a query? In my
>     experience
>      > > this has been one of the BIG no-nos of web application
>     development.
>      > >
>      > > One could easily type a query that closes the open brace around
>     a search
>      > > term and inserts additional terms into queries that expose
>     additional
>      > > information or breaks the system in other ways.
>      >
>      > Information exposure should be managed by the access controls in the
>      > ldap server. Likewise, administrative limits configured in the ldap
>      > server should protect it from other potential breakage. But it's
>     still a
>      > good question. I haven't heard of issues of this sort arising
>      > specifically in relation to accessing info in an ldap server -
>     anyone else?
>      >
>
>     I agree with Dan that it is very bad policy to not parse form input
>     when it is received.  At least filter invalid characters.
>
>     Jim