In many cases user-provided values are used directly in LDAP DN's and LDAP filters. The values should be escaped properly to prevent parsing error or injection attack.
For example in UGSubsystem.java:951 the user ID parameter is concatenated into DN:
public void removeUser(String userid) throws EUsrGrpException { ... ldapconn.delete("uid=" + userid + "," + getUserBaseDN()); ... }
The parameter should have been escaped using LDAPUtil.escapeDN() to prevent possible DN syntax error.
master:
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.0.0-0.X.a2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/764
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.