add function for proper escaping of assertion values in search filters #9
Comments
|
I will look into this the next time I find the time to touch the code (maybe this weekend, have to stay indoors regardless :( ). Would you be willing to review the implementation when I get that far? |
|
Sure, you can add me as a reviewer on the PR.
That's my motivation, too. :) |
…ping, and to protect against timing attacks for user discovery
|
I added a proposal for the function, called escape_filter_assertion_value. It basically calls escape_default on the incoming string, and then flat_maps the remaining characters to what FC 4515 specifies. I also updated the example to use the new escape function on the who-parameter, and I also made it always call the simple bind (with empty username and password), as per your comment on timing attacks. Here's the implementation: Line 516 in 3591f2d Escape default docs: https://doc.rust-lang.org/std/ascii/fn.escape_default.html |
|
Updated the function signature to return Vec instead of going through the String::from_utf8 call, now there is no error case to discuss :) |
In the example proposed in #8, a search filter is constructed by
This is vulnerable to an LDAP injection. If an attacker manages to provide a carefully manufactured username like
they can query parts of the directory they're not supposed to see. In #8 (as of now), this could be exploited to learn about the structure of the directory because of an unrelated timing side-channel attack.
To make it easy to avoid such kinds of injections, the library should provide a function for proper escaping of assertion values in search filters. According to RFC 4515 (in section 3, implicit in the definition of the
UTF1SUBSETproduction) at least the following escaping must be applied to assertion values in the string representation of a search filter:\00.\28.\29.\2a.\5c.\xx, wherexxis the hexadecimal value of the byte, but this is only a matter of correctness, not of security.The text was updated successfully, but these errors were encountered: