>> I think the correct way to fix this is removing zero bytes from the >> affected strings. I could implement that in various places and I >> wonder what would be the best: >> >> 1) in the LDAP and AD auth plugins >> 2) in the auth handling (thus applying to all auth plugins) >> 3) in $INPUT filtering all GET and POST vars always > > I lean towards implementing a fix in (2). Good defensive programming would > suggest its implemented in (1) no matter, and that the LDAP/AD plugins query > to discover the type of the bind (I have no idea if that is possible, > efficient or reasonable). I don't think LDAP can discover the type of bind. It's success or failure only, the type is determined by the type of credentials. Anyway I implemented it in 2) here: https://github.com/splitbrain/dokuwiki/pull/868 I also added a filter mechanism to the $INPUT class here: https://github.com/splitbrain/dokuwiki/pull/869 I'd appreciate a quick feedback on both. I guess we should also issue a hotfix release. Andi -- splitbrain.org -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist