Symfony LDAP - Data Safety?

[h4ckninja]

Reading the LDAP section (http://symfony.com/doc/current/components/ldap.html), it is fairly limited in information.

As a user of the documentation as a whole, I want to know a few things that the Doctrine information does explain. For example:

• Who is responsible for protecting against LDAP injection? The LDAP component or the developer (me)?
• How do I learn about what safety features do exist, barring reading the code? Is that information currently available?

[h4ckninja]

I just found #5756, so I'll follow along in there.

[csarrazi]

Hi @micheal. I'll continue this discussion here instead, as this topic is much more specific than the general Ldap component's documentation.

As of now, the LDAP component does not provide any security features, and it falls back on the developer to provide proper escaping. However, the Security component does escape values provided when binding against an LDAP server, likewise for the user provider.

[h4ckninja]

Cheers. :)

Well in that case, can the documentation be updated to reflect that? I'm happy to help write whatever. I'd just hate to see someone caught off-guard.

[csarrazi]

Sure!

By the way, if you also wish to contribute, feel free to submit a PR here! 😃

[javiereguiluz]

Closing it as fixed by #7508.