[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?
idra at samba.org
idra at samba.org
Fri Dec 29 12:09:28 GMT 2006
On Fri, Dec 29, 2006 at 07:17:20PM +1100, Andrew Bartlett wrote:
> The problem is, where should I validate the input? In every possible
> function that will deal with creating a DN?
Only functions that deal with unknown userprovided input that is used in
privileged operations as usual.
> We have seen what this does, and it is the world of pain that is SQL
> insertion attacks.
I don't think this is the same, if you accept a complete DN from
userland it is the same, fixing this specific function is not what you
need.
> > If you expect the name to be a single elment you can change
> > it this way:
> > if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=\"%s\"", name)) {
> > using quotes. but I would rather do some more checks in the caller.
> >
> > In any case killing the old function was one of my prioirties as it was
> > too ugly to survive under many point of views.
>
> It also kept separated data separate. In the old system, only one
> function was responsible for creating an escaped DN, and that function
> could do it right. Now we have every caller having to correctly create
> escaped DN components, and I doubt we will get every case right!
No we still have just one validation function. If you are worried about
a DN you can just explicitly validate it with ldb_dn_validate() and verify
the number of components or anything else you need to do.
Simo.
--
Simo Sorce idra at samba.org
-------------------------------
Samba Team http://www.samba.org
More information about the samba-technical
mailing list