Chris Lamb <la...@debian.org> writes: > I assume that the get_rdn function cannot universally return with > "htmlspecialchars" applied?
The results of get_rdn should only be quoted when the result is displayed via HTML. There are places in the code that use get_rdn in other ways, and these are likely to break if the value is HTML quoted. e.g. the ldap server is likely to get confused if fed HTML encoded data. This patch however may not be complete. Doing a quick "grep get_rdn" I see one line that looks vulnerable still: templates/3rdParty/pla/htdocs/add_attr_form.php: $request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Add new attribute'),get_rdn($request['dn']))); This line exists as is in the sid version too (which was supposedly fixed), so not specific to wheezy. It also looks suspiciously like similar lines in files in the same directory that were fixed. I noticed the following line that makes me a bit nervous: templates/3rdParty/pla/htdocs/download_binary_attr.php:$request['filename'] = get_request('filename','GET',false,sprintf('%s:%s.bin',get_rdn($request['dn'],true),$request['attr'])); I am sure I have seen talks saying setting the downloaded filename based on an untrusted parameter is bad.... I can't remember the details right now however. Might be OK in this context however, because the DN has to exist in the database before the download can proceed. -- Brian May <b...@debian.org>