Need encoder for LDAP Interchange Format (LDIF)

[meg23]

From [email protected] on December 31, 2010 06:54:16

There are presently (as of ESAPI 2.0_rc10) two encoders that are LDAP-related:

1. Encoder.encodeForDN(String)
2. Encoder.encodeForLDAP(String)

Neither of these seem to properly handle the context where the format would be something that requires user input that is formatted as LDIF input. (Generally, such a mechanism might be used to create users or modify user attributes, especially when done en masse in batch mode.)

According to < http://download.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html >, the following cases must be quoted using a backslash character ("") when they appear in a "name":

1. A space or "#" character occurring at the beginning of the string
2. A space character occurring at the end of the string
3. One of the characters ",", "+", """, "", "<", ">" or ";

(However, it should be noted that the above mentioned URL states that this quoting is specially only intended for LDAP names, meaning that the rules may or may not apply to values, such as attribute values. Whether or not they are permitted for attribute values depends on the application context and the LDAP schema definition for that specific LDAP attribute.)

Clearly, # 1 and # 2 apply to user input that is transformed as LDIF input, but such is not the case for # 3. (AFAICT, case # 3 is seems to be more primarily intended for constructing DNs and LDAP search filters, but it seems to omit some import characters there as well, such as "(", ")", "&", and "|", which could be used to maliciously alter an LDAP search filter if not properly quoted.)

Places where providing LDIF input is common is when two companies are setting up federated or otherwise shared user identities in their directories. During these times, one company often shares an LDIF file the other company to import into their directory. (Such occurrence is commonplace during mergers and acquisitions.)

Currently, ESAPI has no way of dealing with such cases. In order to make LDAP encoding complete so that LDAP injection is addressed in this context as well, ESAPI should provide a standard way of encoding LDIF input as well. If user input comes in the way of LDIF, then other characters may need to be quoted as well. (Specifically, end-of-line terminators may need to be quoted to prevent newline injection which might be used to inject unintended LDAP attributes.)

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=196

[meg23]

From [email protected] on September 28, 2012 04:14:16

I can do EncodeForLdap and EncodeForDN however the output when passed through canonicalize, is garbage.

Try using test string - "Hi (This) =" Here "(" is converted to \28 on encoding. On decoding it gets converted to Character 2 which is stx i.e. nothing.

Please help.