samba-technical@lists.samba.org
[Top] [All Lists]

[LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?

Subject: [LDB] was ldb_dn_build_child safer than ldb_dn_add_child_fmt?
From: Andrew Bartlett
Date: Wed, 27 Dec 2006 14:27:15 +1100
I dug up some old code recently, and came across one puzzling part of
the change from ldb_dn_build_child(ctx, attribute, value, dn) to
ldb_dn_add_child_fmt(dn, fmt, ...).

Almost all the callers of ldb_dn_add_child_fmt() simply wish to add
exactly one element to the DN.  

Eg:  

./rpc_server/lsa/dcesrv_lsa.c:836:      
if ( ! ldb_dn_add_child_fmt(msg->dn, "cn=%s", name)) {

name in this case is the name of a newly trusted domain.  

In these cases, I think this API is over-flexible, in what it could
allow an attacker.  The caller expects name to be

foo

But imagine name was to become:

foo,cn=users

The resultant DN would be cn=foo,cn=users,<base>.  My claim is that this
extra DN component could allow an attacker to play games, etc...

I was wondering if it would be worth adding the old API
(ldb_dn_build_child) back, to ensure that these elements cannot be
misinterpreted?

Thoughts?

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
<Prev in Thread] Current Thread [Next in Thread>