Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7701

Encode JAX-RS Search query values for the LdapQueryVisitor

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.2.4
    • 3.2.5
    • None
    • None
    • Unknown

    Description

      When using JAX-RS search with the LdapQueryVisitor, we don't encode the query value by default. This means that an LDAP injection attack is possible. By default we should encode query values (and make it configurable if the user wants to support searching using wildcards for example).

      Attachments

        Issue Links

          Activity

            People

              coheigea Colm O hEigeartaigh
              coheigea Colm O hEigeartaigh
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m