Oh another LDAP subject that I meant to mention - LDAP Injection. It's
something that's been mentioned regarding our use of LDAP.
For example C:P:Auth:Store:LDAP suggests using a filter like:
(&(objectClass=posixAccount)(uid=%s))
Then does:
$filter =~ s/\%s/$replace/g;
Which on a casual glance would seem to be a possibility for a LDAP-injection
attack.
The problems due to SQL Injection are well known and nobody would write
similar code to interact with a DB. However there seems to be little in CPAN
that acknowledges the risks of LDAP Injection.
I suspect that Net::LDAP doesn't help here, there is a reference to making
use of Net::LDAP::Filter to specify queries that will be properly escaped -
however there isn't an example in the POD (hell I glanced at the source and
couldn't be entirely sure).
So again is this an area that anybody has considered and has some experience
to share?
Thanks again,
Carl
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/