This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Preventing LDAP Injection in Java"
Meddington (talk | contribs) |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT) | Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT) | ||
− | My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT) | + | :My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT) |
+ | |||
+ | ::Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work [[User:Jeff Williams|Jeff Williams]] 15:33, 11 September 2006 (EDT) | ||
+ | |||
+ | While for DN there is some provision for specifying a byte encoding (\XX) there is by spec only certain characters that should be encoded: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " (quotation mark, ASCII 34) | ||
+ | |||
+ | Method 1: Escape chars, only , = + < > # ; \ are valid to be escaped: | ||
+ | |||
+ | CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB | ||
+ | |||
+ | Method 2: Replace with hex digits, unknown if all LDAP servers limit to just valid chars to escape: | ||
+ | |||
+ | CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB | ||
+ | |||
+ | Method 3: Quote attribute and escape \ or ": | ||
+ | |||
+ | "you need to escape a single backslash this way \\" |
Latest revision as of 22:47, 14 November 2006
Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)
- My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. Stephendv 07:23, 11 September 2006 (EDT)
- Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work Jeff Williams 15:33, 11 September 2006 (EDT)
While for DN there is some provision for specifying a byte encoding (\XX) there is by spec only certain characters that should be encoded: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " (quotation mark, ASCII 34)
Method 1: Escape chars, only , = + < > # ; \ are valid to be escaped:
CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
Method 2: Replace with hex digits, unknown if all LDAP servers limit to just valid chars to escape:
CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB
Method 3: Quote attribute and escape \ or ":
"you need to escape a single backslash this way \\"