cfldap 是否允许 cfqueryparam?

Does cfldap allow cfqueryparam?

我想防止 SQL 注入攻击。我们有一个表单,要求用户提供 AD 用户名和密码。然后我们的处理代码看起来像这样:

<cfldap name="ldap_result" action="query" server="999.999.999.999" 
attributes="userprincipalname,title,samaccountname,sn,name,mail,cn" 
filter="(&(objectclass=user)(sAMAccountName=#form.username#))"
start="dc=us,dc=company,dc=lan"
scope="subtree"
username="US\#form.username#" 
password="#form.password#">

我永远不会 运行 没有 cfqueryparam(包装用户名和密码输入)的用户输入查询,但 cfldap 是否可以使用类似的东西? (如果这有所作为,我们将使用 CF10。)

更新:

澄清一下,当我尝试这样做时,出现以下错误:

Attribute validation error for tag CFLDAP.It does not allow the attribute(s) CFSQLTYPE,VALUE.

不,您不能在 cfldap 标签中使用 cfqueryparam 标签。 cfqueryparam 专门用于 SQL 查询。不过,您的想法是正确的。 永远不要相信用户输入

cfldap 标签本身确实为您提供了一些保护。

LDAP injection

ColdFusion uses the <cfldap> tag to communicate with LDAP servers. This tag has an ACTION attribute that dictates the query performed against the LDAP. The valid values for this attribute are: add, delete, query (default), modify, and modifyDN. All <cfldap> calls are turned into JNDI (Java Naming And Directory Interface) lookups. However, because <cfldap> wraps the calls, it will throw syntax errors if native JNDI code is passed to its attributes, making LDAP injection more difficult.

来自 ColdFusion 8 developer security guidelines which you should read if you have not done so already. It was written for ColdFusion 8 but much if not all of it is still relevant. There is an updated version of the document for ColdFusion 11 的第 14 页,但它实际上也引用了版本 8 文档作为参考。

我建议您在这里使用白名单方法。您的活动目录对用户名和密码字段有特定要求;只有小写和大写字母、数字等。创建一个正则表达式来检查用户输入的那些有效字符。如果任一字段包含任何其他内容,则拒绝提交并且不 运行 cfldap 调用。