From 21fdd308245b6a3e8129b6ed584487eb0d332e86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 19 Oct 2008 01:32:04 +0000
Subject: [PATCH] Filter out searches for *@REALM, which takes very long time,
 and other ldap special characters, this should really be quoting instead.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23941 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hdb/hdb-ldap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c
index 37224d293..f50118f58 100644
--- a/lib/hdb/hdb-ldap.c
+++ b/lib/hdb/hdb-ldap.c
@@ -797,6 +797,20 @@ LDAP__lookup_princ(krb5_context context,
     krb5_error_code ret;
     int rc;
     char *filter = NULL;
+    size_t len;
+
+    /* 
+     * Filter out searches for *@REALM, which takes very long time,
+     * and other ldap special characters, this should really be
+     * quoting instead.
+     */
+    len = strcspn(princname, "()*=&\\|~=<>!");
+    if (princname[len] != '\0') {
+	krb5_set_error_message(context, HDB_ERR_NOENTRY,
+			       "Principal contains ldap "
+			       "search term: %s", princname);
+	return HDB_ERR_NOENTRY;
+    }
 
     ret = LDAP__connect(context, db);
     if (ret)