First Last Prev Next    This bug is not in your last search results.
Bug 39941 - No check for invalid countryName in LDAP base
No check for invalid countryName in LDAP base
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: System setup
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Florian Best
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 15:40 CET by Jürn Brodersen
Modified: 2016-02-04 13:55 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2015-11-13 15:40:57 CET 
The installer hangs if an invalid country code is used in the LDAP base.
For example 'c=world'.
This bug was already discussed in: Bug #36334
Comment 1 Florian Best univentionstaff 2015-12-10 10:22:55 CET 
It would be so easy If we already have a running LDAP server:

>>> try:
...     lo.search_s(dn, ldap.SCOPE_BASE)
... except ldap.INVALID_DN_SYNTAX:
...     return False
... except ldap.LDAPError:
...     pass
... return True

Otherwise we could just restrict C to only 2 letters in the regex and hope that there are no more invalid combinations:

re.compile('^(c=[A-Za-z]{2}|(dc|cn|o|l)=[a-zA-Z0-9-]+)(,(c=[A-Za-z]{2}|((dc|cn|o|l)=[a-zA-Z0-9-]+)))+$')
Comment 2 Florian Best univentionstaff 2015-12-15 18:02:00 CET 
I could not imagine a better solution than adapting the regex. We could also use ldap.dn.explodeDn() which validates even a little bit more (syntax) but doesn't validate this case and also allows more than our current restrictions.

As I think it doesn't happen often I did not touch the javascript validation nor adapted help texts.
Comment 3 Daniel Tröder univentionstaff 2016-01-12 09:09:57 CET 
countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is available from:

map(operator.itemgetter(0), univention.admin.syntax.Country.choices)
Comment 4 Florian Best univentionstaff 2016-01-12 12:16:23 CET 
(In reply to Daniel Tröder from comment #3)
> countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is
> available from:
> 
> map(operator.itemgetter(0), univention.admin.syntax.Country.choices)
Well, openldap allows ZZ as country code in an ldap base. Nevertheless I changed it by checking a static list.
FYI: We should avoid using syntax classes in the regular code as they are part of UDM and probably not meant to be used outside.

univention-system-setup (9.0.2-25):
r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart
Comment 5 Daniel Tröder univentionstaff 2016-01-13 14:32:15 CET 
OK: code
OK: advisory
OK: manual test:

python -c 'from univention.management.console.modules.setup.util import is_ldap_base; print is_ldap_base("dc=foo,dc=bar"); print is_ldap_base("c=de,dc=foo,dc=bar"); print is_ldap_base("c=dd,dc=foo,dc=bar")'
True
True
False
Comment 6 Janek Walkenhorst univentionstaff 2016-02-04 13:55:47 CET 
<http://errata.software-univention.de/ucs/4.1/97.html>
First Last Prev Next    This bug is not in your last search results.