Chris Lamb <la...@debian.org> writes:

> I assume that the get_rdn function cannot universally return with
> "htmlspecialchars" applied?

The results of get_rdn should only be quoted when the result is
displayed via HTML.

There are places in the code that use get_rdn in other ways, and these
are likely to break if the value is HTML quoted. e.g. the ldap server is
likely to get confused if fed HTML encoded data.

This patch however may not be complete. Doing a quick "grep get_rdn" I
see one line that looks vulnerable still:

templates/3rdParty/pla/htdocs/add_attr_form.php:        
$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Add new 
attribute'),get_rdn($request['dn'])));

This line exists as is in the sid version too (which was supposedly
fixed), so not specific to wheezy.

It also looks suspiciously like similar lines in files in the same
directory that were fixed.

I noticed the following line that makes me a bit nervous:

templates/3rdParty/pla/htdocs/download_binary_attr.php:$request['filename'] = 
get_request('filename','GET',false,sprintf('%s:%s.bin',get_rdn($request['dn'],true),$request['attr']));

I am sure I have seen talks saying setting the downloaded filename based
on an untrusted parameter is bad....  I can't remember the details right
now however. Might be OK in this context however, because the DN has to
exist in the database before the download can proceed.
-- 
Brian May <b...@debian.org>

Reply via email to