I have made a patch for this problem. https://gist.github.com/akagisho/0d0d148c94616b84a513
2011-03-10 2:37 GMT+09:00 Howard Chu <[email protected]>: > [email protected] wrote: >> >> Can confirm this with openldap 2.4.24. > > > Thanks, the bug was already confirmed. >> >> >> Using ldap search filters like this: >> >> (cn=blabla' or '1'='1) >> >> is at least causing my postgres to eat all CPU cycles it can get (LDAP >> data is based on complex view). I do not have write access enabled for >> that particular openLDAP installation, but I also assume that SQL >> Injection is possible. Beside being an obviuos malfunction, this should >> be considered a security issue. > > > As the bug status says, "patches welcome." back-sql is not a priority for > any of the core developers.
