[email protected] wrote: > Can confirm this with openldap 2.4.24. Thanks, the bug was already confirmed. > > Using ldap search filters like this: > > (cn=blabla' or '1'='1) > > is at least causing my postgres to eat all CPU cycles it can get (LDAP > data is based on complex view). I do not have write access enabled for > that particular openLDAP installation, but I also assume that SQL > Injection is possible. Beside being an obviuos malfunction, this should > be considered a security issue.
As the bug status says, "patches welcome." back-sql is not a priority for any of the core developers. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
