Univention Bugzilla – Bug 28496
endless loop in modules/univention/admin/handlers/users/user.py # logonHoursUnmap()
Last modified: 2024-03-07 13:07:22 CET
def logonHoursUnmap(logontimes): »·······"converts the string to a bit array" »·······times=logontimes[0][:42] »·······while len(times)<42: »·······»·······times=times
Wann (und wie oft) tritt der Fehler denn auf?
Bisher nicht im normalen Betrieb, aber do kann man es provozieren (sLH ist ein Zeichen zu kurz): eval "$(ucr shell ldap/base)" udm users/user create --option samba --set lastname=Hahn --set username=phahn --set password=univention ldapmodify -x -D "cn=admin,$ldap_base" -w "$(</etc/ldap.secret)" <<__LDIF__ dn: uid=phahn,$ldap_base changetype: modify replace: sambaLogonHours sambaLogonHours: fff000fff000fff000fff000fff000fff000fff00 __LDIF__ univention-ldapsearch -xLLLb "uid=phahn,$ldap_base" sambaLogonHours udm users/user list & gdb -p $(pgrep -f /usr/share/univention-directory-manager-tools/univention-cli-server) bt #0 builtin_len (self=<unknown at remote 0x29>, v='fff000fff000fff000fff000fff000fff000fff00') at ../Python/bltinmodule.c:1312 #1 0x080e1151 in call_function (f= Frame 0xa430ee4, for file /usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py, line 1050, in logonHoursUnmap (logontimes=['fff000fff000fff000fff000fff000fff000fff00'], times='fff000fff000fff000fff000fff000fff000fff00'), throwflag=0) at ../Python/ceval.c:3738 #2 PyEval_EvalFrameEx (f= Frame 0xa430ee4, for file /usr/lib/pymodules/python2.6/univention/admin/handlers/users/user.py, line 1050, in logonHoursUnmap (logontimes=['fff000fff000fff000fff000fff000fff000fff00'], times='fff000fff000fff000fff000fff000fff000fff00'), throwflag=0) at ../Python/ceval.c:2412 #3 0x080e2507 in PyEval_EvalCodeEx ...
Created attachment 4691 [details] Fix logonHoursMap and logonHoursUnMap Weil ich gerade wieder Opfer dieses Bugs wurde, hier der Ersatz für logonHoursMap, logonHoursUnmap und intToBinary. 1. Die Kommentare an beiden Funktionen sind grottenfalsch: Die Funktion liefert keine Bitfeld, sonder ein Feld von Bit-Indices. 2. Besagte Endlosschleife. 3. Rechnen mit Sting-Bitfeldern statt direkter Verwendung von Bit-Operationen. Der Patch spricht hoffentlich Bände: user.py | 85 +++++++++++++--------------------------------------------------- 1 file changed, 18 insertions(+), 67 deletions(-) Zum Testen: if __name__ == '__main__': for tv in ( '', '0', '1', 'f', '10', 'ff', '00ff', '012345678901234567890123456789012345678901', '0123456789012345678901234567890123456789012', ): old = logonHoursUnmap([tv]) new = logonHoursUnmap2([tv]) if old == new: print 'OK: %s' % (tv,) else: print 'FAIL: %s' % (tv,) print '\told: %s' % (old,) print '\tnew: %s' % (new,) for tv in ( [], [0], [3], [7], range(24), range(24 * 7), ): old = logonHoursMap(tv) new = logonHoursMap2(tv) if old == new: print 'OK: %s' % (tv,) else: print 'FAIL: %s' % (tv,) print '\told: %s' % (old,) print '\tnew: %s' % (new,)
*** Bug 33989 has been marked as a duplicate of this bug. ***
Cool, a nice DoS :)
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
See https://git.knut.univention.de/univention/ucs/-/merge_requests/915
See https://git.knut.univention.de/univention/ucs/-/merge_requests/1072
*** Bug 56998 has been marked as a duplicate of this bug. ***
Package: univention-directory-manager-modules Version: 15.0.25-12 Branch: ucs_5.0-0 Scope: errata5.0-6 [5.0-6] b0b737ff65 test(udm): xfail map-county-to-st management/univention-directory-manager-modules/unittests/test_udm_filters.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) [5.0-6] c1f11ee159 fix(udm/container): Un-share _encoders from cn .../modules/univention/udm/modules/container_ou.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) [5.0-6] e23a97ac05 refactor(udm): Remove unused imports .../univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py | 1 + .../modules/univention/admin/handlers/kerberos/kdcentry.py | 2 -- .../univention-directory-manager-modules/modules/univention/admin/handlers/mail/folder.py | 2 -- .../univention-directory-manager-modules/modules/univention/admin/handlers/mail/lists.py | 2 -- .../univention-directory-manager-modules/modules/univention/admin/handlers/users/contact.py | 1 - 5 files changed, 1 insertion(+), 7 deletions(-) [5.0-6] 35c24f57d1 refactor(udm): SambaLogonHours doc/errata/staging/univention-directory-manager-modules.yaml | 3 +- .../modules/univention/admin/handlers/users/user.py | 102 ++++++++++------------------ .../modules/univention/admin/syntax.py | 19 +++--- .../modules/univention/udm/encoders.py | 2 +- 4 files changed, 47 insertions(+), 79 deletions(-)
OK: not endless loop anymore >>> from univention.admin.handlers.users.user import logonHoursUnmap >>> logonHoursUnmap([b'fff000fff000fff000fff000fff000fff000fff00']) [0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31, 36, 37, 38, 39, 48, 49, 50, 51, 52, 53, 54, 55, 60, 61, 62, 63, 72, 73, 74, 75, 76, 77, 78, 79, 84, 85, 86, 87, 96, 97, 98, 99, 100, 101, 102, 103, 108, 109, 110, 111, 120, 121, 122, 123, 124, 125, 126, 127, 132, 133, 134, 135, 144, 145, 146, 147, 148, 149, 150, 151, 156, 157, 158, 159] OK: advisory OK: Jenkins Tests OK: Code review OK: duplicate bug #56998 is fixed
<https://errata.software-univention.de/#/?erratum=5.0x991>