atze_80(a)web.de wrote:
Can confirm this with openldap 2.4.24.
Thanks, the bug was already confirmed.
Using ldap search filters like this:
(cn=blabla' or '1'='1)
is at least causing my postgres to eat all CPU cycles it can get (LDAP
data is based on complex view). I do not have write access enabled for
that particular openLDAP installation, but I also assume that SQL
Injection is possible. Beside being an obviuos malfunction, this should
be considered a security issue.
As the bug status says, "patches welcome." back-sql is not a priority for any
of the core developers.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/