Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Platform: All, OS: All
Description
In: ActiveDirectoryUnixAuthenticationProvider.java
Line 85:
context.search(toDC(domainName),"(&
(userPrincipalName="principalName")(objectClass=user))", controls);
Line 89:
renum = context.search(toDC(domainName),"(&
(sAMAccountName="username")(objectClass=user))", controls);
String appends with no escaping leave the code vulnerable to an (unlikely) LDAP
injection attack.
The Acegi code already has protection against this, you can see how that's
implemented here:
https://src.springframework.org/svn/spring-security/tags/release_1_0_6/core/src/main/java/org/acegisecurity/ldap/search/FilterBasedLdapUserSearch.java
(this eventually ends up using the spring code for encoding, in
org/springframework/ldap/support/LdapEncoder.java)
If you use the LdapTemplate code to do this, as acegi did, see the notes about
referrals at:
http://static.springframework.org/spring-ldap/docs/1.1/api/org/springframework/ldap/LdapTemplate.html
Incidentally, this referrals stuff should be irrelevant for authentication; if
you connect to the Global Catalog Server (port 3268) for your forest, not the AD
server (port 389), you should not be seeing referrals. Hudson is querying
_ldap._tcp.<domain name>, but should probably be querying
_gc._tcp.<DnsForestName>. (equivalent, I think, to COM4J.getObject(IADs.class,
"GC:", null); in the windows version, instead of COM4J.getObject(IADs.class,
"LDAP://RootDSE", null)
