question on ldap_escape_func in rlm_ldap.c
Nicolas Baradakis
nbk at sitadelle.com
Wed Dec 7 11:51:48 CET 2005
Qin Zhen wrote:
> i couldn't figure out what does the change intend to do, is it to
> filter out '*', '\\', '()' and '=' from username? and why should it
> be in that way? please help me. thanks a lot in advance.
The function ldap_escape_func() filters all LDAP-specific characters
from RFC 2254. This prevents LDAP injection attacks.
BTW there's a known bug in this function, you can get a fixed version
here. (the patch will be included in next release)
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8
--
Nicolas Baradakis
More information about the Freeradius-Users
mailing list