On Fri, Nov 12, 2010 at 10:12:51AM -0500, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> https://fedorahosted.org/sssd/ticket/458
> 
> Previously, it was possible to perform a sort of LDAP filter injection
> with careful crafting of the ldap attributes in the config file.
> 
> This guarantees that any attribute specified in the config file is
> escaped properly, resulting in an inability to inject subfilters.
> 
> 
> Note: this was not a security issue, as it was editable only by root and
> even then, all checks were performed on the server, not the client.
> 
> +
> +        if (name) {
> +            ret = sss_filter_sanitize(map, name, &map[i].name);
> +            talloc_zfree(name);

NACK, please check ret.

bye,
Sumit

> +        } else {
> +            map[i].name = NULL;
> +        }
> +
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to