-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/15/2010 07:01 AM, Sumit Bose wrote:
On Fri, Nov 12, 2010 at 10:12:51AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://fedorahosted.org/sssd/ticket/458
Previously, it was possible to perform a sort of LDAP filter injection with careful crafting of the ldap attributes in the config file.
This guarantees that any attribute specified in the config file is escaped properly, resulting in an inability to inject subfilters.
Note: this was not a security issue, as it was editable only by root and even then, all checks were performed on the server, not the client.
if (name) {
ret = sss_filter_sanitize(map, name, &map[i].name);
talloc_zfree(name);
NACK, please check ret.
bye, Sumit
} else {
map[i].name = NULL;
}
ret is checked just after that else statement.
if ((ret != EOK) || (map[i].def_name && !map[i].name)) {
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/