bdemers commented on issue #1329: URL: https://github.com/apache/shiro/issues/1329#issuecomment-1966737453
Thanks for reaching out @Reamer! In Shiro's LDAP realms, the filters are set at configuration time (e.g. a config file), it's expected configuration is formatted correctly. If these values were the results of user inputs (outside of Shiro's control), they should be escaped if needed. Shiro doesn't concatenate strings when performing LDAP searches, so unvalidated inputs (such as usernames) _shouldn't_ need to be escaped, as the lower level APIs . If you think I'm wrong or am missing something, please let us know! However, given that this issue relates to injection attacks, please use the proper channels when reporting potential security issues. You can read an overview of how to report an issue at Apache: https://www.apache.org/security/ Or an abbreviated page in the Shiro: https://shiro.apache.org/security-reports.html#reporting_a_vulnerability **TL;DR**: Email [[email protected]](mailto:[email protected]). --- [How to report a vulnerability: Responsible Disclosure for Developers](http://www.youtube.com/watch?v=Mh_fivNC8Wk) This video explains how and why security issues require special handling. [](http://www.youtube.com/watch?v=Mh_fivNC8Wk) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
