JDK-6449574 : Invalid ldap filter is accepted and processed
- Type: Bug
- Component: core-libs
- Sub-Component: javax.naming
- Affected Version: 5.0
- Priority: P4
- Status: Closed
- Resolution: Fixed
- OS: windows_xp
- CPU: sparc
- Submitted: 2006-07-17
- Updated: 2010-11-30
- Resolved: 2010-11-30
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| Other | Other | JDK 6 | JDK 7 |
|---|---|---|---|
| 5.0u22-revFixed | 5.0u23Fixed | 6u17-revFixed | 7 b68Fixed  |
Related Reports
|
Relates :
|
Description
OPERATING SYSTEM(S):
Win32, Windows XP
FULL JDK VERSION(S):
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)
DESCRIPTION:
An invalid ldap search filter is passed to JNDI, which is processed successfully and passed to ldap server to get the results.
The following is the search filter that is passed.
(&(cn=Robert Dean)))
This filter is syntactically invalid.
Run the jndi ldap program passing ldap server ip address as command line argument and it gives an error.
The following JNDI program which has same search filter, passes successfully without any error.
//JNDI program
import java.util.Properties;
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Enumeration;
public class ldapSearch {
Properties env;
DirContext ctx;
ldapSearch(String URLaddress)
throws SecurityException,NamingException {
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
env.setProperty(Context.PROVIDER_URL, "ldap://"+URLaddress+":389");
env.setProperty(Context.SECURITY_PRINCIPAL,"cn=root");
env.setProperty(Context.SECURITY_CREDENTIALS,"root");
ctx = new InitialDirContext(env);
}
public NamingEnumeration
search(String from, String filter)
throws NamingException {
SearchControls constr = new SearchControls();
// let is search whole subtree
constr.setSearchScope(
SearchControls.SUBTREE_SCOPE);
return(ctx.search(from, filter, constr));
}
public void printResults(NamingEnumeration res)
throws Exception {
while (res != null && res.hasMore()) {
// Thread.sleep(3000);
SearchResult si = (SearchResult)res.next();
System.out.println("\nname: " + si.getName());
Attributes attrs = si.getAttributes();
if (attrs == null) {
System.out.println("No attributes");
}
else {
for (NamingEnumeration ae = attrs.getAll();
ae.hasMoreElements();) {
Attribute attr = (Attribute)ae.next();
String attrId = attr.getID();
for (Enumeration vals = attr.getAll();
vals.hasMoreElements();
System.out.println(attrId+": "+
vals.nextElement()));
}
}
}
}
public static void main(String[] args) {
String s1=args[0];
try {
ldapSearch mySearch = new ldapSearch(s1);
System.out.println(" ");
System.out.println("searching.....");
System.out.println("");
mySearch.printResults(mySearch.search("o=ibm,c=us","(&(cn=Robert
Dean)))"));
} catch (Exception e) {
System.err.println("ldapSearch failed.");
e.printStackTrace();
}
}
}
FURTHER INFORMATION:
If 1 additional parenthesis is added to the search filter as
"(&(cn=test1))))"
then it gives error in the case of the JNDI program also.
I tried to search using the same filter against TDS using TDS command line utility ldapsearch.
Ldapsearch -h <server_ip> -D cn=root -w password -s sub -b o=ibm,c=us "(&(cn=test1)))"
It gave the bad search filter error.
So using the ldap search utility it gives the error for wrong syntax whereas with JNDI program it passes succesfully.
The same behaviour is seen in 1.4.2, 5.0 and 6.0.
Comments
|