[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?
idra at samba.org
idra at samba.org
Sun Dec 31 17:39:55 GMT 2006
On Sat, Dec 30, 2006 at 07:45:26AM +1100, Andrew Bartlett wrote:
> We should assume that is most callers, unless we have very specific
> knowledge the the contrary.
Uhmm if accessed via LDAP, samdb should be protected by ACLs.
If accessed via RPC we need validation anyway imo.
So I am not sure I fully agree with you.
> Indeed. Fixing all of LDB to be robust against malicious inputs is what
> I need. And yes, I realise it conflicts with your 'need for speed'.
> The onus should be on a performance critical path to show that it needs
> to skip the checks, rather than on every code path to remember to do
> them.
I have a plan to split ldb_dn into a set of private and public functions
exactly for this purpose. private functions will be speed optimized,
public functions instead will always validate.
> > a DN you can just explicitly validate it with ldb_dn_validate() and verify
> > the number of components or anything else you need to do.
>
> Surely that's exactly the job of ldb_dn_validate()? But it cannot do
> that: that information is already lost!
You are mixing validation of form with validation of content.
ldb_dn can only do form validation, if you need to validate the content
you need to do it in the caller (or let the ACLs do their job).
Simo.
--
Simo Sorce idra at samba.org
-------------------------------
Samba Team http://www.samba.org
More information about the samba-technical
mailing list