Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6449574

Invalid ldap filter is accepted and processed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 5.0
    • Fix Version/s: 7
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b68
    • CPU:
      sparc
    • OS:
      windows_xp
    • Verification:
      Verified

      Backports

        Description

        OPERATING SYSTEM(S):
        Win32, Windows XP

        FULL JDK VERSION(S):
        java version "1.5.0"
        Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
        Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)

        DESCRIPTION:
        An invalid ldap search filter is passed to JNDI, which is processed successfully and passed to ldap server to get the results.
        The following is the search filter that is passed.
        (&(cn=Robert Dean)))
        This filter is syntactically invalid.
                     
        Run the jndi ldap program passing ldap server ip address as command line argument and it gives an error.
          
        The following JNDI program which has same search filter, passes successfully without any error.

         //JNDI program
        import java.util.Properties;
        import javax.naming.*;
        import javax.naming.directory.*;
        import java.util.Enumeration;
                                                                                
        public class ldapSearch {
          Properties env;
          DirContext ctx;
                                                                                
          ldapSearch(String URLaddress)
            throws SecurityException,NamingException {
            Properties env = new Properties();
            env.setProperty(Context.INITIAL_CONTEXT_FACTORY,
        "com.sun.jndi.ldap.LdapCtxFactory");
            env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
            env.setProperty(Context.PROVIDER_URL, "ldap://"+URLaddress+":389");
            env.setProperty(Context.SECURITY_PRINCIPAL,"cn=root");
            env.setProperty(Context.SECURITY_CREDENTIALS,"root");
                                                                                
            ctx = new InitialDirContext(env);
                                                                                
          }
                                                                                
          public NamingEnumeration
            search(String from, String filter)
             throws NamingException {
            SearchControls constr = new SearchControls();
            // let is search whole subtree
            constr.setSearchScope(
              SearchControls.SUBTREE_SCOPE);
            return(ctx.search(from, filter, constr));
          }
                                                                                
          public void printResults(NamingEnumeration res)
            throws Exception {
            while (res != null && res.hasMore()) {
        // Thread.sleep(3000);
              SearchResult si = (SearchResult)res.next();
              System.out.println("\nname: " + si.getName());
              Attributes attrs = si.getAttributes();
              if (attrs == null) {
                System.out.println("No attributes");
              }
              else {
                for (NamingEnumeration ae = attrs.getAll();
                       ae.hasMoreElements();) {
                  Attribute attr = (Attribute)ae.next();
                  String attrId = attr.getID();
                  for (Enumeration vals = attr.getAll();
                    vals.hasMoreElements();
                    System.out.println(attrId+": "+
                      vals.nextElement()));
                }
              }
            }
          }
                                                                                
          public static void main(String[] args) {
             String s1=args[0];
                                                                                
            try {
              ldapSearch mySearch = new ldapSearch(s1);
              System.out.println(" ");
              System.out.println("searching.....");
              System.out.println("");
           mySearch.printResults(mySearch.search("o=ibm,c=us","(&(cn=Robert
        Dean)))"));
                                                                                
            } catch (Exception e) {
                System.err.println("ldapSearch failed.");
                e.printStackTrace();
            }
          }
        }

        FURTHER INFORMATION:
        If 1 additional parenthesis is added to the search filter as
        "(&(cn=test1))))"
        then it gives error in the case of the JNDI program also.

        I tried to search using the same filter against TDS using TDS command line utility ldapsearch.

        Ldapsearch -h <server_ip> -D cn=root -w password -s sub -b o=ibm,c=us "(&(cn=test1)))"

        It gave the bad search filter error.

        So using the ldap search utility it gives the error for wrong syntax whereas with JNDI program it passes succesfully.

        The same behaviour is seen in 1.4.2, 5.0 and 6.0.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                xuelei Xuelei Fan
                Reporter:
                elarsen Erik Larsen (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: