51 lines
1.3 KiB
Plaintext
51 lines
1.3 KiB
Plaintext
== How to fix it in Core PHP
|
|
|
|
=== Code examples
|
|
|
|
The following noncompliant code is vulnerable to LDAP injection because untrusted data is
|
|
concatenated to an LDAP query without prior sanitization or validation.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
$ldapconn = ldap_connect("localhost");
|
|
|
|
if($ldapconn){
|
|
$user = $_GET["user"];
|
|
|
|
$filter = "(&(objectClass=user)(uid=" . $user . "))";
|
|
$dn = "dc=example,dc=org";
|
|
|
|
ldap_list($ldapconn, $dn, $filter); // Noncompliant
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
$ldapconn = ldap_connect("localhost");
|
|
|
|
if($ldapconn){
|
|
$user = $ldap_escape($_GET["user"], "", LDAP_ESCAPE_FILTER);
|
|
|
|
$filter = "(&(objectClass=user)(uid=" . $user . "))";
|
|
$dn = "dc=example,dc=org";
|
|
|
|
ldap_list($ldapconn, $dn, $filter);
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/validation.adoc[]
|
|
|
|
For PHP, the core library function
|
|
https://www.php.net/manual/en/function.ldap-escape.php[`ldap_escape`] allows sanitizing these characters.
|
|
|
|
In the compliant solution example, the `ldap_escape` function is used with the
|
|
`LDAP_ESCAPE_FILTER` flag, which sanitizes potentially malicious characters in the search filter.
|
|
The function can also be used with the `LDAP_ESCAPE_DN` flag, which sanitizes
|
|
the distinguished name (DN).
|