[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?

Andrew Bartlett abartlet at samba.org
Fri Dec 29 20:45:26 GMT 2006 

On Fri, 2006-12-29 at 12:09 +0000, idra at samba.org wrote:
> On Fri, Dec 29, 2006 at 07:17:20PM +1100, Andrew Bartlett wrote:
> > The problem is, where should I validate the input?  In every possible
> > function that will deal with creating a DN?
> 
> Only functions that deal with unknown userprovided input that is used in
> privileged operations as usual.

We should assume that is most callers, unless we have very specific
knowledge the the contrary.  

> > We have seen what this does, and it is the world of pain that is SQL
> > insertion attacks.  
> 
> I don't think this is the same, if you accept a complete DN from
> userland it is the same, fixing this specific function is not what you
> need.

Indeed.  Fixing all of LDB to be robust against malicious inputs is what
I need.  And yes, I realise it conflicts with your 'need for speed'.
The onus should be on a performance critical path to show that it needs
to skip the checks, rather than on every code path to remember to do
them. 

> > > If you expect the name to be a single elment you can change
> > > it this way:
> > > if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=\"%s\"", name)) {
> > > using quotes. but I would rather do some more checks in the caller.
> > > 
> > > In any case killing the old function was one of my prioirties as it was
> > > too ugly to survive under many point of views.
> > 
> > It also kept separated data separate.  In the old system, only one
> > function was responsible for creating an escaped DN, and that function
> > could do it right.  Now we have every caller having to correctly create
> > escaped DN components, and I doubt we will get every case right!
> 
> No we still have just one validation function. If you are worried about
> a DN you can just explicitly validate it with ldb_dn_validate() and verify
> the number of components or anything else you need to do.

Surely that's exactly the job of ldb_dn_validate()?  But it cannot do
that:  that information is already lost!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061230/9dd91b47/attachment.bin

More information about the samba-technical mailing list