--- nss_ldap-220/ldap-parse.h	2004-05-14 05:34:11.000000000 +0200
+++ nss_ldap-220/ldap-parse.h	2004-09-08 13:05:12.000000000 +0200
@@ -33,6 +33,11 @@ 
 	LA_INIT(a); \
 	LA_STRING(a) = NSS_ARGS(args)->key.name; \
 	LA_TYPE(a) = LA_TYPE_STRING; \
+	if (! is_valid_username (name) \
+	{ \
+		syslog(LOG_INFO, "Invalid username %s", name); \
+		return NSS_STATUS_NOTFOUND; \
+	} \
 	s = _nss_ldap_getbyname(&a, \
 		NSS_ARGS(args)->buf.result, \
 		NSS_ARGS(args)->buf.buffer, \
--- nss_ldap-220/util.c	2004-05-14 05:34:11.000000000 +0200
+++ nss_ldap-220/util.c	2004-09-08 13:05:45.000000000 +0200
@@ -1058,3 +1058,18 @@ 
 
   return ret;
 }
+
+int is_valid_username(char *user)
+{
+        unsigned char *p;
+
+/* This is pretty liberal, but we're going to use direct syscalls only,
+ * and they have to accept all the printable characters */
+        for (p = (unsigned char *)user; *p; p++)
+                if (*p < ' ' || *p > 0x7E || *p == '.' || *p == '/') return 0;
+
+        if (p - (unsigned char *)user > NAME_MAX) return 0;
+
+        return 1;
+}
+
--- nss_ldap-220/util.h	2004-05-14 05:34:11.000000000 +0200
+++ nss_ldap-220/util.h	2004-09-08 13:11:10.000000000 +0200
@@ -131,6 +131,8 @@ 
 NSS_STATUS _nss_ldap_escape_string (const char *str,
 				    char *buf, size_t buflen);
 
+int is_valid_username(char *user);
+
 #define MAP_H_ERRNO(nss_status, herr)   do { \
 		switch ((nss_status)) {		\
 		case NSS_SUCCESS:		\