Bug 34420 - Univention-directory-logger: undetectable base64 encoding
Univention-directory-logger: undetectable base64 encoding
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.0
All Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Philipp Hahn
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-28 20:01 CET by Philipp Hahn
Modified: 2016-10-26 17:09 CEST (History)
6 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
Suggested patch for /usr/lib/univention-directory-listener/system/directory_logger.py to add the prefix (344 bytes, patch)
2016-09-14 14:21 CEST, Julius Hinrichs
Details | Diff
Updated patch for /usr/lib/univention-directory-listener/system/directory_logger.py (344 bytes, patch)
2016-09-14 17:01 CEST, Julius Hinrichs
Details | Diff
Alternative solution (591 bytes, patch)
2016-09-28 14:53 CEST, Julius Hinrichs
Details | Diff
base64 encoding (2.73 KB, patch)
2016-10-11 17:30 CEST, Philipp Hahn
Details | Diff
34420.diff (1.45 KB, patch)
2016-10-17 14:30 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2014-03-28 20:01:33 CET
base64 encoded attributes should be prefixed by "::" as in LDIF:

$ cat /var/log/univention/directory-logger.log
> DN: uid=z5kibcöa,cn=users,dc=phahn,dc=dev
...
> New values:
> uid: ejVraWJjw7Zh

$ base64 -d <<<ejVraWJjw7Zh
z5kibcöa
Comment 1 Janis Meybohm univentionstaff 2015-06-25 09:39:23 CEST
Ticket#2015061821000522

Reported again by customer and this is still the case for UCS 4.

We should fix this as customers may use the logged LDIF's to restore LDAP-objects that were mistakenly deleted. Without the "::" prefix the base64 encoded attributes will be written to LDAP as strings and that may(will) lead to encoding problems down the road.
Comment 2 Julius Hinrichs univentionstaff 2016-09-14 14:21:53 CEST
Created attachment 8006 [details]
Suggested patch for /usr/lib/univention-directory-listener/system/directory_logger.py to add the prefix
Comment 3 Florian Best univentionstaff 2016-09-14 16:37:25 CEST
(In reply to Julius Hinrichs from comment #2)
> Created attachment 8006 [details]
> Suggested patch for
> /usr/lib/univention-directory-listener/system/directory_logger.py to add the
> prefix

The patch would write "foo::: bar" into the LDIF.
By the way: There are libs in python to create LDIF's. Maybe that's better because they automatically handle this? (Not sure, I don't know the context of the listener).
Comment 4 Florian Best univentionstaff 2016-09-14 16:38:47 CEST
(In reply to Florian Best from comment #3)
> (In reply to Julius Hinrichs from comment #2)
> > Created attachment 8006 [details]
> > Suggested patch for
> > /usr/lib/univention-directory-listener/system/directory_logger.py to add the
> > prefix
> 
> The patch would write "foo::: bar" into the LDIF.
The patch would write "::foo: bar" instead of "foo:: bar".
Comment 5 Julius Hinrichs univentionstaff 2016-09-14 17:01:56 CEST
Created attachment 8008 [details]
Updated patch for /usr/lib/univention-directory-listener/system/directory_logger.py

This should return the correct notation.
Comment 6 Arvid Requate univentionstaff 2016-09-27 18:15:45 CEST
Your change calculates base64Filter(value) twice, I guess that can be coded more efficiently.
Comment 7 Julius Hinrichs univentionstaff 2016-09-28 14:53:23 CEST
Created attachment 8044 [details]
Alternative solution

In this version the base64value is calculated only once.
Comment 8 Florian Best univentionstaff 2016-09-28 15:04:25 CEST
Comment on attachment 8044 [details]
Alternative solution

If performance matters:

def ldapEntry2string(entry):
    return ''.join(
        '%s%s %s\n' % (key, ':' if base64value == value else '::', base64value)
        for key, valuelist in entry.iteritems()
        for value, base64value in ((value, base64Filter(value)) for value in valuelist)
    )
Comment 9 Philipp Hahn univentionstaff 2016-10-11 17:30:26 CEST
Created attachment 8089 [details]
base64 encoding

base64 detection is incomplete as well - stolen from python-ldap
Comment 10 Philipp Hahn univentionstaff 2016-10-13 11:44:12 CEST
r73116 | Bug #34420 log: Fix base64 encoding

Package: univention-directory-logger
Version: 7.0.1-2.39.201610131121
Branch: ucs_4.1-0
Scope: errata4.1-3

r73131 | Bug #34420 log: Fix base64 encoding

r73141 | Bug #25404,Bug #34916,Bug #34420,Bug #42665: univention-directory-logger YAML
 univention-directory-logger.yaml
Comment 11 Philipp Hahn univentionstaff 2016-10-17 14:30:06 CEST
Created attachment 8117 [details]
34420.diff

b0275d1 Bug #34420 log: Fix base64 encoding
Comment 12 Felix Botner univentionstaff 2016-10-21 11:04:56 CEST
OK - base64 encoding
OK - ldif: '::' for base64 encoded attributes
OK - yaml
OK - merged to 4.2
Comment 13 Janek Walkenhorst univentionstaff 2016-10-26 17:09:00 CEST
<http://errata.software-univention.de/ucs/4.1/317.html>