Talk:Preventing LDAP Injection in Java

From OWASP
Revision as of 17:47, 14 November 2006 by Meddington (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)

My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. Stephendv 07:23, 11 September 2006 (EDT)
Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work Jeff Williams 15:33, 11 September 2006 (EDT)

While for DN there is some provision for specifying a byte encoding (\XX) there is by spec only certain characters that should be encoded: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " (quotation mark, ASCII 34)

Method 1: Escape chars, only , = + < > # ; \ are valid to be escaped:

CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB

Method 2: Replace with hex digits, unknown if all LDAP servers limit to just valid chars to escape:

CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB

Method 3: Quote attribute and escape \ or ":

"you need to escape a single backslash this way \\"