Menu
▾
▴
Re: [Phpwiki-talk] Warning: LDAP security problem
|
From: Reini U. <ru...@x-...> - 2004-06-04 12:54:16
|
Reini Urban schrieb: > In this patch I only restricted '*'. > > For the future we'll have to restrict the allowed username characters > for PassUsers, because I don't want to escape every possible special > character for every possible auth backend and platform. > > I suggest to allow only > $userid =~ /^[\w.-@]\$?$/ and strlen($userid) < 32 I forced now this username in current CVS: $userid =~ /^[\w\.\-@]+$/ and strlen($userid) < 32 trailing "$" not. > which allows all alphanumeric chars, all localized word chars, > plus ".","-","@" and a trailing "$". > [a-zA-Z0-9_-.] + [äüöèéáÀ...] > > Should we ould be more strict any allow only POSIX'ly correct usernames? > There is not such an exact definition, but ... > For IMAP, POP3 and FileAuth for example. > LDAP dislikes * ! ( ) & \ > File dislikes also : and names longer than 31 chars. > > I'm not sure about dots (i.e. in email). Certain cmdline unix tools bark > on dots. > > adduser(8) > It is recommended that login names contain only lowercase charac- > ters and digits. They may also contain uppercase characters, > non-leading hyphens, periods, and a trailing '$'. Login names > may not be longer than 31 characters (see BUGS section of > setlogin(2)). > > What about Samba, POSIX ACL's? > I have to check http://www.wlug.org.nz/SambaNotes AND > http://www.wlug.org.nz/LDAPAuthentication > > I also learned that with HttpAuth usernames are NOT case-sensitive. > (not yet checked if it affects us) Fixed it. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |