[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?
Andrew Bartlett
abartlet at samba.org
Fri Dec 29 20:45:26 GMT 2006
On Fri, 2006-12-29 at 12:09 +0000, idra at samba.org wrote:
> On Fri, Dec 29, 2006 at 07:17:20PM +1100, Andrew Bartlett wrote:
> > The problem is, where should I validate the input? In every possible
> > function that will deal with creating a DN?
>
> Only functions that deal with unknown userprovided input that is used in
> privileged operations as usual.
We should assume that is most callers, unless we have very specific
knowledge the the contrary.
> > We have seen what this does, and it is the world of pain that is SQL
> > insertion attacks.
>
> I don't think this is the same, if you accept a complete DN from
> userland it is the same, fixing this specific function is not what you
> need.
Indeed. Fixing all of LDB to be robust against malicious inputs is what
I need. And yes, I realise it conflicts with your 'need for speed'.
The onus should be on a performance critical path to show that it needs
to skip the checks, rather than on every code path to remember to do
them.
> > > If you expect the name to be a single elment you can change
> > > it this way:
> > > if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=\"%s\"", name)) {
> > > using quotes. but I would rather do some more checks in the caller.
> > >
> > > In any case killing the old function was one of my prioirties as it was
> > > too ugly to survive under many point of views.
> >
> > It also kept separated data separate. In the old system, only one
> > function was responsible for creating an escaped DN, and that function
> > could do it right. Now we have every caller having to correctly create
> > escaped DN components, and I doubt we will get every case right!
>
> No we still have just one validation function. If you are worried about
> a DN you can just explicitly validate it with ldb_dn_validate() and verify
> the number of components or anything else you need to do.
Surely that's exactly the job of ldb_dn_validate()? But it cannot do
that: that information is already lost!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061230/9dd91b47/attachment.bin
More information about the samba-technical
mailing list