[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?
Andrew Bartlett
abartlet at samba.org
Wed Dec 27 03:27:15 GMT 2006
I dug up some old code recently, and came across one puzzling part of
the change from ldb_dn_build_child(ctx, attribute, value, dn) to
ldb_dn_add_child_fmt(dn, fmt, ...).
Almost all the callers of ldb_dn_add_child_fmt() simply wish to add
exactly one element to the DN.
Eg:
./rpc_server/lsa/dcesrv_lsa.c:836:
if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=%s", name)) {
name in this case is the name of a newly trusted domain.
In these cases, I think this API is over-flexible, in what it could
allow an attacker. The caller expects name to be
foo
But imagine name was to become:
foo,cn=users
The resultant DN would be cn=foo,cn=users,<base>. My claim is that this
extra DN component could allow an attacker to play games, etc...
I was wondering if it would be worth adding the old API
(ldb_dn_build_child) back, to ensure that these elements cannot be
misinterpreted?
Thoughts?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061227/ce446cae/attachment.bin
More information about the samba-technical
mailing list