Databases
StackOverflow2013
Postsdbo
POJava decoding encoded LDAP filters before transmitting? Preventing LDAP injections
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POJava decoding encoded LDAP filters before transmitting? Preventing LDAP injections
    text
    copied!<p>I am currently properly escaping my filters, either using Spring LDAP Filter clases, or by going through LdapEncoder.filterEncode().</p> <p>At the same time, I am using WireShark to capture packets being exchanged between my local machine and the LDAP server.</p> <p>And I seem to have a problem. Even if I properly escape values (which I have confirmed through debugging), they come out unescaped through the network. I have also confirmed (through debugging) that the value stays encoded all the way until it enters javax.naming.InitialContext.</p> <p>Here is an example (note that I am using Spring LDAP 1.3.0, and that these happen on both Oracle JDK 6u45 and Oracle JDK 7u45).</p> <p>In my own code, on the service layer, the call being made is:</p> <pre><code> String lMailAddress = (String) ldapTemplate.searchForObject("", new EqualsFilter(ldapUserSearchFilterAttribute, principal).encode(), new ContextMapper() { @Override public Object mapFromContext(Object ctx) { DirContextAdapter lContext = (DirContextAdapter) ctx; return lContext.getStringAttribute("mail"); }}); </code></pre> <p>At this point, I can confirm that the String returned by the encode() method on the filter is "(sAMAccountName=boi\2a)"</p> <p>The last point I can debug the code is the following one (starts at line 229 of org.springframework.ldap.core.LdapTemplate):</p> <pre><code>SearchExecutor se = new SearchExecutor() { public NamingEnumeration executeSearch(DirContext ctx) throws javax.naming.NamingException { return ctx.search(base, filter, controls); } }; </code></pre> <p>When executeSearch() is later invoked, I can also verify that the filter String contains "(sAMAccountName=boi\2a)".</p> <p>I cannot debug any further, since I do not have the source code to javax,naming.* or com.sun.jndi.ldap.* (since com.sun.jndi.ldap.LdapCtx is being invoked).</p> <p>However, as soon as the call returns from executeSearch(), WireShark informs me that an LDAP packet containing a searchRequest with the filter "(sAMAccountName=boi*)" has been transmitted (the * is no longer escaped).</p> <p>I have used similar encoding and used different methods of LdapTemplate that yielded the result I was expecting (I saw the encoded filter being transmitted in WireShark), but I cannot explain why, in the case I just exposed, the value gets decoded before being transmitted.</p> <p>Please help me understanding the situation. Hpoefully, I am the one who does not properly understand the LDAP protocol here.</p> <p>Thanks.</p> <p><em>Disclaimer:</em> I have posted the same question to Spring LDAP forums.</p> <p><em>TL/DR:</em> Why is com.sun.jndi.ldap.LdapCtx decoding LDAP encoded filters (like \2a to *) before transmitting them to the LDAP server?</p> <p><em>Update:</em> Tried and observed the same behavior with IBM's J9 JDK7.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload