|
|
I dug up some old code recently, and came across one puzzling part of
the change from ldb_dn_build_child(ctx, attribute, value, dn) to
ldb_dn_add_child_fmt(dn, fmt, ...).
Almost all the callers of ldb_dn_add_child_fmt() simply wish to add
exactly one element to the DN.
Eg:
./rpc_server/lsa/dcesrv_lsa.c:836:
if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=%s", name)) {
name in this case is the name of a newly trusted domain.
In these cases, I think this API is over-flexible, in what it could
allow an attacker. The caller expects name to be
foo
But imagine name was to become:
foo,cn=users
The resultant DN would be cn=foo,cn=users,<base>. My claim is that this
extra DN component could allow an attacker to play games, etc...
I was wondering if it would be worth adding the old API
(ldb_dn_build_child) back, to ensure that these elements cannot be
misinterpreted?
Thoughts?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
|
|