Skip to content

Commit e6b5833

Browse files
yoffyoff
committed
python: fix typo in qhelp
1 parent 941f230 commit e6b5833

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,22 @@
44
<qhelp>
55
<overview>
66
<p>If an LDAP query or DN is built using string concatenation or string formatting, and the
7-
components of the concatenation include user input without any proper sanitization, a user
7+
components of the concatenation include user input without any proper sanitization, a user
88
is likely to be able to run malicious LDAP queries.</p>
99
</overview>
1010

1111
<recommendation>
1212
<p>If user input must be included in an LDAP query or DN, it should be escaped to
1313
avoid a malicious user providing special characters that change the meaning
14-
of the query. In Python2, user input should be escaped with <code>ldap.dn.escape_dn_chars</code>
15-
or <code>ldap.filter.escape_filter_chars</code>, while in Python3, user input should be escaped with
14+
of the query. In Python2, user input should be escaped with <code>ldap.dn.escape_dn_chars</code>
15+
or <code>ldap.filter.escape_filter_chars</code>, while in Python3, user input should be escaped with
1616
<code>ldap3.utils.dn.escape_rdn</code> or <code>ldap3.utils.conv.escape_filter_chars</code>
17-
depending on the component tainted by the user. A good practice is to escape filter characters
17+
depending on the component tainted by the user. A good practice is to escape filter characters
1818
that could change the meaning of the query (https://tools.ietf.org/search/rfc4515#section-3).</p>
1919
</recommendation>
2020

2121
<example>
22-
<p>In the following examples, the code accepts both <code>username</code> and <code>dc</code> from the user,
22+
<p>In the following examples, the code accepts both <code>username</code> and <code>dc</code> from the user,
2323
which it then uses to build a LDAP query and DN.</p>
2424

2525
<p>The first and the second example uses the unsanitized user input directly
@@ -30,7 +30,7 @@ components, and search for a completely different set of values.</p>
3030
<sample src="examples/example_bad1.py" />
3131
<sample src="examples/example_bad2.py" />
3232

33-
<p>In the third and four example, the input provided by the user is sanitized before it is included in the search filter or DN.
33+
<p>In the third and fourth example, the input provided by the user is sanitized before it is included in the search filter or DN.
3434
This ensures the meaning of the query cannot be changed by a malicious user.</p>
3535

3636
<sample src="examples/example_good1.py" />

0 commit comments

Comments
 (0)