LDAP Injection [Catalyst]

[Carl Johnstone]

Oh another LDAP subject that I meant to mention - LDAP Injection. It's 
something that's been mentioned regarding our use of LDAP.

For example C:P:Auth:Store:LDAP suggests using a filter like:

(&(objectClass=posixAccount)(uid=%s))

Then does:

$filter =~ s/\%s/$replace/g;


Which on a casual glance would seem to be a possibility for a LDAP-injection 
attack.

The problems due to SQL Injection are well known and nobody would write 
similar code to interact with a DB. However there seems to be little in CPAN 
that acknowledges the risks of LDAP Injection.

I suspect that Net::LDAP doesn't help here, there is a reference to making 
use of Net::LDAP::Filter to specify queries that will be properly escaped - 
however there isn't an example in the POD (hell I glanced at the source and 
couldn't be entirely sure).

So again is this an area that anybody has considered and has some experience 
to share?

Thanks again,

Carl