Bug 28496 - endless loop in modules/univention/admin/handlers/users/user.py # logonHoursUnmap()
endless loop in modules/univention/admin/handlers/users/user.py # logonHoursU...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Users
UCS 4.4
Other Linux
: P4 normal (vote)
: UCS 5.0-6-errata
Assigned To: Philipp Hahn
Florian Best
https://git.knut.univention.de/univen...
:
: 33989 56998 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-13 17:54 CEST by Philipp Hahn
Modified: 2024-03-07 13:07 CET (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup, Security, Troubleshooting
Max CVSS v3 score: 4.9 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P)
hahn: Patch_Available+


Attachments
Fix logonHoursMap and logonHoursUnMap (3.65 KB, patch)
2012-09-28 09:50 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2012-09-13 17:54:41 CEST
def logonHoursUnmap(logontimes):
»·······"converts the string to a bit array"
»·······times=logontimes[0][:42]
»·······while len(times)<42:
»·······»·······times=times
Comment 1 Alexander Kläser univentionstaff 2012-09-13 18:52:47 CEST
Wann (und wie oft) tritt der Fehler denn auf?
Comment 2 Philipp Hahn univentionstaff 2012-09-13 20:21:40 CEST
Bisher nicht im normalen Betrieb, aber do kann man es provozieren (sLH ist ein Zeichen zu kurz):

eval "$(ucr shell ldap/base)"
udm users/user create --option samba --set lastname=Hahn --set username=phahn --set password=univention
ldapmodify -x -D "cn=admin,$ldap_base" -w "$(</etc/ldap.secret)" <<__LDIF__
dn: uid=phahn,$ldap_base
changetype: modify
replace: sambaLogonHours
sambaLogonHours: fff000fff000fff000fff000fff000fff000fff00
__LDIF__
univention-ldapsearch -xLLLb "uid=phahn,$ldap_base" sambaLogonHours
udm users/user list &

gdb -p $(pgrep -f /usr/share/univention-directory-manager-tools/univention-cli-server)
bt

#0  builtin_len (self=<unknown at remote 0x29>, v='fff000fff000fff000fff000fff000fff000fff00') at ../Python/bltinmodule.c:1312
#1  0x080e1151 in call_function (f=
    Frame 0xa430ee4, for file /usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py, line 1050, in logonHoursUnmap (logontimes=['fff000fff000fff000fff000fff000fff000fff00'], times='fff000fff000fff000fff000fff000fff000fff00'), throwflag=0) at ../Python/ceval.c:3738
#2  PyEval_EvalFrameEx (f=
    Frame 0xa430ee4, for file /usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py, line 1050, in logonHoursUnmap (logontimes=['fff000fff000fff000fff000fff000fff000fff00'], times='fff000fff000fff000fff000fff000fff000fff00'), throwflag=0) at ../Python/ceval.c:2412
#3  0x080e2507 in PyEval_EvalCodeEx ...
Comment 3 Philipp Hahn univentionstaff 2012-09-28 09:50:05 CEST
Created attachment 4691 [details]
Fix logonHoursMap and logonHoursUnMap

Weil ich gerade wieder Opfer dieses Bugs wurde, hier der Ersatz für logonHoursMap, logonHoursUnmap und intToBinary.

1. Die Kommentare an beiden Funktionen sind grottenfalsch: Die Funktion liefert keine Bitfeld, sonder ein Feld von Bit-Indices.
2. Besagte Endlosschleife.
3. Rechnen mit Sting-Bitfeldern statt direkter Verwendung von Bit-Operationen.

Der Patch spricht hoffentlich Bände:
 user.py |   85 +++++++++++++---------------------------------------------------
 1 file changed, 18 insertions(+), 67 deletions(-)

Zum Testen:
if __name__ == '__main__':
	for tv in (
			'',
			'0',
			'1',
			'f',
			'10',
			'ff',
			'00ff',
			'012345678901234567890123456789012345678901',
			'0123456789012345678901234567890123456789012',
			):
		old = logonHoursUnmap([tv])
		new = logonHoursUnmap2([tv])
		if old == new:
			print 'OK: %s' % (tv,)
		else:
			print 'FAIL: %s' % (tv,)
			print '\told: %s' % (old,)
			print '\tnew: %s' % (new,)

	for tv in (
			[],
			[0],
			[3],
			[7],
			range(24),
			range(24 * 7),
			):
		old = logonHoursMap(tv)
		new = logonHoursMap2(tv)
		if old == new:
			print 'OK: %s' % (tv,)
		else:
			print 'FAIL: %s' % (tv,)
			print '\told: %s' % (old,)
			print '\tnew: %s' % (new,)
Comment 4 Philipp Hahn univentionstaff 2014-11-17 14:06:50 CET
*** Bug 33989 has been marked as a duplicate of this bug. ***
Comment 5 Florian Best univentionstaff 2016-11-10 17:58:29 CET
Cool, a nice DoS :)
Comment 6 Stefan Gohmann univentionstaff 2019-01-03 07:18:36 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 9 Florian Best univentionstaff 2024-02-28 21:18:04 CET
*** Bug 56998 has been marked as a duplicate of this bug. ***
Comment 10 Philipp Hahn univentionstaff 2024-02-28 22:07:50 CET
Package: univention-directory-manager-modules
Version: 15.0.25-12
Branch: ucs_5.0-0
Scope: errata5.0-6

[5.0-6] b0b737ff65 test(udm): xfail map-county-to-st
 management/univention-directory-manager-modules/unittests/test_udm_filters.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[5.0-6] c1f11ee159 fix(udm/container): Un-share _encoders from cn
 .../modules/univention/udm/modules/container_ou.py                                    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

[5.0-6] e23a97ac05 refactor(udm): Remove unused imports
 .../univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py      | 1 +
 .../modules/univention/admin/handlers/kerberos/kdcentry.py                                  | 2 --
 .../univention-directory-manager-modules/modules/univention/admin/handlers/mail/folder.py   | 2 --
 .../univention-directory-manager-modules/modules/univention/admin/handlers/mail/lists.py    | 2 --
 .../univention-directory-manager-modules/modules/univention/admin/handlers/users/contact.py | 1 -
 5 files changed, 1 insertion(+), 7 deletions(-)

[5.0-6] 35c24f57d1 refactor(udm): SambaLogonHours
 doc/errata/staging/univention-directory-manager-modules.yaml    |   3 +-
 .../modules/univention/admin/handlers/users/user.py             | 102 ++++++++++------------------
 .../modules/univention/admin/syntax.py                          |  19 +++---
 .../modules/univention/udm/encoders.py                          |   2 +-
 4 files changed, 47 insertions(+), 79 deletions(-)
Comment 11 Florian Best univentionstaff 2024-03-01 09:45:36 CET
OK: not endless loop anymore
>>> from univention.admin.handlers.users.user import logonHoursUnmap
>>> logonHoursUnmap([b'fff000fff000fff000fff000fff000fff000fff00'])
[0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31, 36, 37, 38, 39, 48, 49, 50, 51, 52, 53, 54, 55, 60, 61, 62, 63, 72, 73, 74, 75, 76, 77, 78, 79, 84, 85, 86, 87, 96, 97, 98, 99, 100, 101, 102, 103, 108, 109, 110, 111, 120, 121, 122, 123, 124, 125, 126, 127, 132, 133, 134, 135, 144, 145, 146, 147, 148, 149, 150, 151, 156, 157, 158, 159]
OK: advisory
OK: Jenkins Tests
OK: Code review
OK: duplicate bug #56998 is fixed