[jira] [Comment Edited] (DIRAPI-400) Hang in LDAP URL parser

2024-05-27 Thread Jira 


[ 
https://issues.apache.org/jira/browse/DIRAPI-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17849829#comment-17849829
 ] 

Emmanuel Lécharny edited comment on DIRAPI-400 at 5/27/24 8:53 PM:
---

The LDAP URl you use is perfectly valid, why would you expect it to throw a 
{{LdapURLEncodingException}}?

RFC 4516 grammar for LDAP URL is pretty clear:

{code:java}
ldapurl = scheme COLON SLASH SLASH [host [COLON port]]
   [SLASH dn [QUESTION [attributes]
   [QUESTION [scope] [QUESTION [filter]
   [QUESTION extensions]
  ;  and  are defined
  ;   in Sections 3.2.2 and 3.2.3
  ;   of [RFC3986].
  ;  is from Section 3 of
  ;   [RFC4515], subject to the
  ;   provisions of the
  ;   "Percent-Encoding" section
  ;   below.

  scheme  = "ldap"
{code}

Everything after {{ldap://}} and the (optionnal) host - {{lenix}} in your case 
-  is also optional.


was (Author: elecharny):
The LDAP URl you use is perfectly valid, why would you expect it to throw a 
{{LdapURLEncodingException}}?

> Hang in LDAP URL parser
> ---
>
> Key: DIRAPI-400
> URL: https://issues.apache.org/jira/browse/DIRAPI-400
> Project: Directory Client API
>  Issue Type: Bug
>Affects Versions: 2.1.6
>Reporter: Andrey Slepykh
>Priority: Major
> Attachments: Reproducer.java
>
>
> Hello, we have found a problem in LDAP URL parser in version 2.1.6 while 
> fuzzing. The problem is that LDAP parser can not properly handle specially 
> crafted inputs and just hangs.
> {{Steps to reproduce:}}
> ~1. Download Apache Directory LDAP API v2.1.6:~
> ^wget wget 
> [https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz]^
> ^tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz^
> {{2. Compile the project (we used jdk-11 and mvn-3.9.6):}}
> {{^cd directory-ldap-api-2.1.6^}}
> {{^mvn clean package^}}
> {{3. Get the reproducer:}}
> {{^mkdir fuzz && cd fuzz^}}
> {{^mv /Reproducer.java .^}}
> {{4. Compile the reproducer:}}
> {{^javac -cp ../ldap/model/target/classes/ ./Reproducer.java^}}
> {{5. Reproduce the hang:}}
> {{^java -cp 
> ../ldap/model/target/classes/:.:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.26.jar:../i18n/target/classes/
>  Reproducer^}}
> We decided to fuzz this function, because it is used in Apache Directory 
> Server
> Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
> Author L.Reviakin (l.revia...@fobos-nt.ru)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

[jira] [Comment Edited] (DIRAPI-400) Hang in LDAP URL parser

2024-05-27 Thread Jira 


[ 
https://issues.apache.org/jira/browse/DIRAPI-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17849829#comment-17849829
 ] 

Emmanuel Lécharny edited comment on DIRAPI-400 at 5/27/24 8:51 PM:
---

The LDAP URl you use is perfectly valid, why would you expect it to throw a 
{{LdapURLEncodingException}}?


was (Author: elecharny):
The LDAP URUl you use is perfectly valid, why would you expect it to throw a 
{{LdapURLEncodingException}}?

> Hang in LDAP URL parser
> ---
>
> Key: DIRAPI-400
> URL: https://issues.apache.org/jira/browse/DIRAPI-400
> Project: Directory Client API
>  Issue Type: Bug
>Affects Versions: 2.1.6
>Reporter: Andrey Slepykh
>Priority: Major
> Attachments: Reproducer.java
>
>
> Hello, we have found a problem in LDAP URL parser in version 2.1.6 while 
> fuzzing. The problem is that LDAP parser can not properly handle specially 
> crafted inputs and just hangs.
> {{Steps to reproduce:}}
> ~1. Download Apache Directory LDAP API v2.1.6:~
> ^wget wget 
> [https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz]^
> ^tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz^
> {{2. Compile the project (we used jdk-11 and mvn-3.9.6):}}
> {{^cd directory-ldap-api-2.1.6^}}
> {{^mvn clean package^}}
> {{3. Get the reproducer:}}
> {{^mkdir fuzz && cd fuzz^}}
> {{^mv /Reproducer.java .^}}
> {{4. Compile the reproducer:}}
> {{^javac -cp ../ldap/model/target/classes/ ./Reproducer.java^}}
> {{5. Reproduce the hang:}}
> {{^java -cp 
> ../ldap/model/target/classes/:.:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.26.jar:../i18n/target/classes/
>  Reproducer^}}
> We decided to fuzz this function, because it is used in Apache Directory 
> Server
> Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
> Author L.Reviakin (l.revia...@fobos-nt.ru)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org