This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Preventing LDAP Injection in Java"
From OWASP
| Line 1: | Line 1: | ||
Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT) | Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT) | ||
| + | |||
:My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT) | :My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT) | ||
| + | |||
| + | ::Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work [[User:Jeff Williams|Jeff Williams]] 15:33, 11 September 2006 (EDT) | ||
Revision as of 19:33, 11 September 2006
Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)
- My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. Stephendv 07:23, 11 September 2006 (EDT)
- Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work Jeff Williams 15:33, 11 September 2006 (EDT)
