minor #7508 Added a caution note about the LDAP injection attacks (javiereguiluz)

xabbuh · xabbuh · commit 3d2ce904a280 · 2017-03-13T09:44:30.000+01:00
This PR was merged into the 2.8 branch. Discussion ---------- Added a caution note about the LDAP injection attacks After reading [this comment](#6795 (comment)) by @csarrazi I'm not sure which protection does the LDAP component offer and which one it doesn't ... so please, review this carefully. Thanks! Commits ------- dfc2867 Added a caution note about the LDAP injection attacks
diff --git a/security/ldap.rst b/security/ldap.rst
@@ -167,6 +167,13 @@ use the ``ldap`` user provider.
             ),
         );
 
+.. caution::
+
+    The Security component escapes values provided when binding against an LDAP
+    server (likewise for the user provider). However, the LDAP component does
+    not provide any other escaping, so it's your responsibility to prevent
+    the LDAP injection attacks.
+
 The ``ldap`` user provider supports many different configuration options:
 
 service
