Bug 40129 - LDAP filter escaping incomplete
LDAP filter escaping incomplete
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Stefan Gohmann
: 10687 34432 34522 41111 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2015-11-30 13:53 CET by Florian Best
Modified: 2016-09-26 13:30 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling, External feedback, Security
Max CVSS v3 score:

patch (1.04 KB, patch)
2015-11-30 13:53 CET, Florian Best
Details | Diff
patch (2.16 KB, patch)
2015-12-02 15:58 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Florian Best univentionstaff 2015-12-01 18:22:09 CET
Having such an object in the LDAP (e.g. because that name was synched from AD to LDAP) causes also that the self-service cannot be used anymore:

Execution of command 'passwordreset/get_reset_methods' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods blacklisted = self.is_blacklisted(username) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted groups_dns.extend(self.get_nested_groups(group_dn)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups group = self.get_udm_group(groupdn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe (BAR)))
Comment 2 Florian Best univentionstaff 2015-12-01 18:29:34 CET
Oh no, this is a bug in the self service module itself.
Comment 3 Florian Best univentionstaff 2015-12-02 15:58:22 CET
Created attachment 7342 [details]

The functions univention.admin.parentDn and univention.admin.explodeDn should also use the official functions from the ldap library.
Comment 5 Florian Best univentionstaff 2015-12-08 11:02:21 CET
Reported again, 4.0-4 errata363 (Walle)

Hallo, Aufgrund diesen Fehler kann ich die Gruppe weder bearbeiten, noch umbennen oder löschen. Es klappt nicht über die management oberfläche und auch nicht über ssh.

Können Sie mir da weiterhelfen?
Comment 7 Florian Best univentionstaff 2016-06-23 19:58:45 CEST
All broken LDAP filter escaping in univention-directory-manager-modules has been fixed.

univention-directory-manager-modules (11.0.3-17):
r70589 | Bug #40129: escape ldap filters
Comment 8 Florian Best univentionstaff 2016-06-27 17:59:02 CEST
univention-python (9.0.1-4):
r70653 | Bug #40129: use official python-LDAP utilities

r70599 | YAML Bug #41580, Bug #40041, Bug #40129, Bug #38110, Bug #40422

univention-directory-manager-modules (11.0.3-21):
r70620 | Bug #40129: fix filter formatting for multivalue fields
→ use only the first value of that multivalue, should be fixed correctly by Bug #7430

r70654 | YAML Bug #40129
Comment 9 Florian Best univentionstaff 2016-06-30 18:13:53 CEST
Found some more:

univention-directory-manager-modules (11.0.3-25):
r70751 | Bug #40129: more LDAP filter escaping
Comment 11 Florian Best univentionstaff 2016-07-01 13:25:42 CEST
*** Bug 41111 has been marked as a duplicate of this bug. ***
Comment 12 Florian Best univentionstaff 2016-07-01 14:35:48 CEST
(In reply to Philipp Hahn from comment #10)
> This seems to have broken the last Jenkins run: +280 failures like
> <http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/
> AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/
> testReport/66_udm-computers/01_all_roles_removal/test/>

univention-directory-manager-modules (11.0.3-28):
r70768 | Bug #40129: fixup svn r70751
Comment 13 Florian Best univentionstaff 2016-07-04 15:06:13 CEST
Reported again, 4.1-2 errata206 (Vahr)

Remark: Gave OU a name with brackets in UMC.  Appeared to work on creation and moving a computer object into it.  However, subsequent renaming in Active directory computers and users exposed a problem with sync to openldap.  Subsequent attempts to rename, move computer object and delete OU all give the below search filter error.  Assume it's failing on brackets in the name.

Execution of command 'udm/nav/object/query navigation' has failed:

Traceback (most recent call last):
  File "%PY2.7%/notifier/threads.py", line 82, in _run
    tmp = self._function()
  File "%PY2.7%/notifier/__init__.py", line 104, in __call__
    return self._function( *tmp, **self._kwargs )
  File "%PY2.7%/univention/management/console/modules/udm/__init__.py", line 1035, in _thread
    for module, obj in list_objects(container, object_type=object_type):
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 1074, in list_objects
    yield (module, module.get(dn))
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 87, in _decorated
    return method(*args, **kwargs)
  File "%PY2.7%/univention/management/console/ldap.py", line 135, in _decorated
    result = func(*args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/udm/udm_ldap.py", line 507, in get
  File "%PY2.7%/univention/admin/handlers/computers/windows.py", line 395, in open
    univention.admin.handlers.simpleComputer.open( self )
  File "%PY2.7%/univention/admin/handlers/__init__.py", line 1273, in open
    result=self.lo.search(base=self.lo.base, filter=searchFilter, attr=['dn'])
  File "%PY2.7%/univention/admin/uldap.py", line 363, in search
    raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter))
ldapError: Bad search filter: (&(objectclass=univentionGroup)(uniqueMember=cn=***,ou=Laptops \\(roaming\\),dc=***,dc=com,dc=au))
Comment 14 Stefan Gohmann univentionstaff 2016-07-06 10:00:04 CEST
Very good.

Code review: OK
         r70653 → OK
         r70589 → OK
         r70620 → OK
         r70751 → OK
         r70768 → OK

YAML: OK (minor adjustment r70835)

Tests: OK
Comment 16 Florian Best univentionstaff 2016-07-15 14:57:36 CEST
*** Bug 10687 has been marked as a duplicate of this bug. ***
Comment 17 Florian Best univentionstaff 2016-07-19 18:13:22 CEST
Reported again, 4.1-2 errata206 (Vahr)
Comment 18 Philipp Hahn univentionstaff 2016-07-20 10:35:26 CEST
*** Bug 34522 has been marked as a duplicate of this bug. ***
Comment 19 Florian Best univentionstaff 2016-09-15 13:47:02 CEST
*** Bug 34432 has been marked as a duplicate of this bug. ***