Univention Bugzilla – Attachment 7393 Details for
Bug 40353
4.1 policy of listfilter can be bypassed by NULL sender (sender=<>)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Improved patch
bug40353.patch (text/plain), 2.77 KB, created by
Sönke Schwardt-Krummrich
on 2016-01-06 14:44:27 CET
(
hide
)
Description:
Improved patch
Filename:
MIME Type:
Creator:
Sönke Schwardt-Krummrich
Created:
2016-01-06 14:44:27 CET
Size:
2.77 KB
patch
obsolete
>diff --git a/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py b/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py >index bdc229a..afdde47 100755 >--- a/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py >+++ b/ucs-4.1-0/mail/univention-mail-postfix/share/listfilter.py >@@ -50,8 +50,6 @@ def listfilter(attr): > > sender = attr.get("sender", None) > recipient = attr.get("recipient", None) >- action = "DUNNO default" >- allowed = {} > > if not options.ldap_base: > return "443 LDAP base not set." >@@ -59,8 +57,6 @@ def listfilter(attr): > # We will never get here, because an empty recipient will have been rejected > # earlier by Postfix with '554 5.5.1 Error: no valid recipients'. > return "REJECT Access denied for empty recipient." >- elif not sender: >- return "REJECT Access denied for empty sender." > else: > # reuse secret file of univention-mail-cyrus > ldap = univention.uldap.getMachineConnection(ldap_master=False, secret_file="/etc/listfilter.secret") >@@ -72,17 +68,6 @@ def listfilter(attr): > > # try the ldap stuff, if that fails send email anyway > try: >- # get dn and groups of sender >- filter = '(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))' % (sender, sender, sender) >- userResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"]) >- if userResult: >- userDn = userResult[0][0] >- filter = '(uniqueMember=%s)' % userDn >- groupResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"]) >- if groupResult: >- for i in groupResult: >- userGroups.append(i[0]) >- > # get recipient restriction > ldapAttr = ["univentionAllowedEmailGroups", "univentionAllowedEmailUsers"] > filter = '(&(mailPrimaryAddress=%s)(|(objectclass=univentionMailList)(objectclass=posixGroup)))' % recipient >@@ -95,8 +80,21 @@ def listfilter(attr): > for u in result[0][1].get("univentionAllowedEmailUsers", []): > allowedUserDns.append(u) > >- # check if there are restrictions >+ # check if there are restrictions, check sender first > if allowedUserDns or allowedGroupDns: >+ if not sender: >+ return "REJECT Access denied for empty sender to restricted list %s" % (recipient, ) >+ >+ # get dn and groups of sender >+ filter = '(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))' % (sender, sender, sender) >+ userResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"]) >+ if userResult: >+ userDn = userResult[0][0] >+ filter = '(uniqueMember=%s)' % userDn >+ groupResult = ldap.search(base=options.ldap_base, filter=filter, attr=["dn"]) >+ if groupResult: >+ for i in groupResult: >+ userGroups.append(i[0]) > > # check userdn in univentionAllowedEmailUsers > if allowedUserDns:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7393">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 40353
:
7392
| 7393