[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639538#comment-17639538 ]
Bryan Pendleton commented on DERBY-7147: ---------------------------------------- Yay! I've successfully run LDAPAuthenticationTest with your second patch applied. A tiny nit: your second patch includes a whitespace-only extra blank line, not sure if this was intentional or not: {code:java} @@ -418,6 +468,7 @@ String searchFilter = this.leftSearchFilter + uid + this.rightSearchFilter; + NamingEnumeration results = ctx.search(searchBaseDN, searchFilter, ctls); {code} Here are some raw notes. Perhaps someday they will be useful as memory-joggers, should I need to do this again: # I used Ubuntu Linux 20.04 and OpenJDK 19.0.1 # I installed ApacheDS and ApacheDirectoryStudio from [https://directory.apache.org,|https://directory.apache.org%2C/] just following the directions. # I started up ApacheDS by sudo /etc/init.d/apacheds-2.0.0.AM26-default start # Using ApacheDirectoryStudio, I followed these instructions to generate a sample database of users: [https://directory.apache.org/apacheds/basic-ug/1.5-sample-configuration.html] # I used ApacheDirectoryStudio to change the password for sample user Cornelius Buckley to 'secret' # I additionally created user 'kathy/kathyS' using ApacheDirectoryStudio to add a new entry to the ou=people,o=sevenseas database using one of the existing entries as a template. # I applied your ("ab") patch and did 'ant all' # I verified that LDAP authentication was working by following [https://db.apache.org/derby/docs/10.16/security/cseccsecure863446.html] and using the following properties for my test database: ## {code:java} derby.authentication.server=ldap://127.0.0.1:10389 derby.authentication.provider=LDAP derby.authentication.ldap.searchBase=o=sevenseas {code} ## {code:java} java -cp /home/bpendleton/derby/trunk/tools/java/junit.jar:/home/bpendleton/derby/trunk/classes/engine:/home/bpendleton/derby/trunk/classes/shared:/home/bpendleton/derby/trunk/classes/tools:/home/bpendleton/derby/trunk/classes/testing:/home/bpendleton/derby/trunk/classes/server:/home/bpendleton/derby/trunk/classes/drda:/home/bpendleton/derby/trunk/classes/client org.apache.derby.tools.ij ij version 10.17 ij> connect 'jdbc:derby:test2;create=true;user=cbuckley;password=secret'; ij> quit; {code} # Lastly, I verified that LDAPAuthenticationTest passed by doing: ## {code:java} java -cp /home/bpendleton/derby/trunk/tools/java/junit.jar:/home/bpendleton/derby/trunk/classes/engine:/home/bpendleton/derby/trunk/classes/shared:/home/bpendleton/derby/trunk/classes/tools:/home/bpendleton/derby/trunk/classes/testing:/home/bpendleton/derby/trunk/classes/server:/home/bpendleton/derby/trunk/classes/drda:/home/bpendleton/derby/trunk/classes/client -DderbyTesting.ldapUser=cbuckley -DderbyTesting.ldapPassword=secret -DderbyTesting.ldapPort=10389 -DderbyTesting.dnString=sevenseas -DderbyTesting.ldapServer=ldap://127.0.0.1:10389 junit.textui.TestRunner org.apache.derbyTesting.functionTests.tests.jdbcapi.LDAPAuthenticationTest {code} ## (Note that the help text for 'derbyTesting.ldapServer' in LDAPAuthenticationTest doesn't make it very obvious that you're supposed to set it to the value that will be used for the '[derby.authentication.server|https://db.apache.org/derby/docs/10.16/ref/rrefproper25581.html]' property; that took me a while to figure out) Lastly, two final notes that I'm not sure if they are important or not: # LDAPAuthenticationTest.java requires that I set -DderbyTesting.ldapPort=10389, but as far as I can see it doesn't actually *use* that setting anywhere. It sets the 'ldapPort' variable, but I can't find anything that uses that variable. Note from above that when I run the test, I specify the port number in the 'ldapServer' URL. # LDAPAuthenticationTest.java includes the following line. I can't figure out if this line interacts with your patch in any interesting ways or not. Is your patch in play whether or not this line is used? I stared at [https://db.apache.org/derby/docs/10.16/ref/rrefproper37341.html] for a while but it did not make me any smarter. I tried running LDAPAuthenticationTest both with this line in place, and with it commented out, and the test passed either way, so probably I guess I have no idea whether any of this matters or not, but since your patch touches the code that has the word 'searchFilter' in it I figured I'd bring this up. ## {code:java} setDatabaseProperty("derby.authentication.ldap.searchFilter","(&(objectClass=inetOrgPerson)(uid=%USERNAME%))", conn); {code} > LDAP injection vulnerability in LDAPAuthenticationImpl > ------------------------------------------------------ > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC > Affects Versions: 10.16.1.1 > Reporter: Richard N. Hillegas > Assignee: Richard N. Hillegas > Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)