Skip to content

add function for proper escaping of assertion values in search filters #9

New issue
New issue
Open
Open
add function for proper escaping of assertion values in search filters#9
@majewsky

Description

@majewsky
majewsky
opened on Apr 6, 2020

In the example proposed in #8, a search filter is constructed by

let filter = format!("(|(uid={})(mail={}))", who, who);

This is vulnerable to an LDAP injection. If an attacker manages to provide a carefully manufactured username like

let who = "doesnotmatter)(isMemberOf=cn=admins,ou=groups,ou=example,ou=org)(doesnotmatter="

they can query parts of the directory they're not supposed to see. In #8 (as of now), this could be exploited to learn about the structure of the directory because of an unrelated timing side-channel attack.

To make it easy to avoid such kinds of injections, the library should provide a function for proper escaping of assertion values in search filters. According to RFC 4515 (in section 3, implicit in the definition of the UTF1SUBSET production) at least the following escaping must be applied to assertion values in the string representation of a search filter:

  • The null byte (0x00) must be escaped as \00.
  • The left parenthesis must be escaped as \28.
  • The right parenthesis must be escaped as \29.
  • The asterisk must be escaped as \2a.
  • The backslash must be escaped as \5c.
  • Also, all non-ASCII bytes (0x80 - 0xFF) should be escaped as \xx, where xx is the hexadecimal value of the byte, but this is only a matter of correctness, not of security.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions