You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As it stands, the library unconditionally loads the contents from the file system when using the URL directive (:<), both in standard attributes and in control values. However, this makes the parser unusable for loading untrusted input without first sanitizing it. As the LDIF RFC spec notes, care should be taken when parsing untrusted input, as the file URL functionality allows malicious actors to read files from the local system (such as /etc/hostname or /etc/passwd).
While it's possible to disable the parsing of Controls entirely with the Controls boolean flag in the LDIF struct (which has the effect of disabling loading files inside control values), it's not possible to disable this behavior for attribute values. It would be preferrable to have some additional option when calling ldif.Unmarshal that allows for turning off the parser's behavior of following and loading file URLs when using the :< directive.
The text was updated successfully, but these errors were encountered:
As it stands, the library unconditionally loads the contents from the file system when using the URL directive (
:<), both in standard attributes and in control values. However, this makes the parser unusable for loading untrusted input without first sanitizing it. As the LDIF RFC spec notes, care should be taken when parsing untrusted input, as the file URL functionality allows malicious actors to read files from the local system (such as/etc/hostnameor/etc/passwd).While it's possible to disable the parsing of Controls entirely with the
Controlsboolean flag in theLDIFstruct (which has the effect of disabling loading files inside control values), it's not possible to disable this behavior for attribute values. It would be preferrable to have some additional option when callingldif.Unmarshalthat allows for turning off the parser's behavior of following and loading file URLs when using the:<directive.The text was updated successfully, but these errors were encountered: