Re: ITS#8866 (was: ITS review 6/14/2019)

On 6/27/19 6:18 PM, Howard Chu wrote: > Michael Ströder wrote: >> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote: >>> Thanks to Ondrej, this list is a bit shorter now. :) >> >> But one more I'd love to see in 2.4.48: >> >> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message >> >> https://www.openldap.org/its/index.cgi?findid=8866 > > I don't believe the information disclosure issues have been > sufficiently answered there. Overall it's a bad idea and goes against > our standing policy of minimal disclosure. Sorry, you already have the disclosure. Citing from my old e-mail found here: https://www.openldap.org/lists/openldap-devel/201711/msg00003.html > But this problem exists anyway because an attacker can probe > values by adding entries with non-unique attributes and determine > whether an attribute value exists or not by distinguishing the result > code constraintViolation(19) vs. insufficientAccessRights(50). > Even worse this even works in case the attacker does not have read > access anywhere!