use Net::LDAP::Util; my $escaped_search = Net::LDAP::Util::escape_filter_value($search);
On Thursday 24 January 2008 16:30:10 Carl Johnstone wrote: > Oh another LDAP subject that I meant to mention - LDAP Injection. It's > something that's been mentioned regarding our use of LDAP. > > For example C:P:Auth:Store:LDAP suggests using a filter like: > > (&(objectClass=posixAccount)(uid=%s)) > > Then does: > > $filter =~ s/\%s/$replace/g; > > > Which on a casual glance would seem to be a possibility for a > LDAP-injection attack. > > The problems due to SQL Injection are well known and nobody would write > similar code to interact with a DB. However there seems to be little in > CPAN that acknowledges the risks of LDAP Injection. > > I suspect that Net::LDAP doesn't help here, there is a reference to making > use of Net::LDAP::Filter to specify queries that will be properly escaped - > however there isn't an example in the POD (hell I glanced at the source and > couldn't be entirely sure). > > So again is this an area that anybody has considered and has some > experience to share? > > Thanks again, > > Carl > > > _______________________________________________ > List: [email protected] > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/[email protected]/ > Dev site: http://dev.catalyst.perl.org/ -- Knut-Olav Hoven Systemutvikler mob: +47 986 71 700 Linpro AS http://www.linpro.no/ _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
