Bug 42012 – create_passwd in ucs-school-lib contains faulty password policy evaluation

Bug 42012 - create_passwd in ucs-school-lib contains faulty password policy evaluation


Summary:	create_passwd in ucs-school-lib contains faulty password policy evaluation

Status:	CLOSED WONTFIX

Product:	UCS@school
Classification:	Unclassified
Component:	Import scripts
Version:	UCS@school 4.1
Hardware:	Other Linux

Importance:	P5 minor (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-08-16 15:56 CEST by Sönke Schwardt-Krummrich
Modified:	2023-06-12 15:39 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2016-08-16 15:56:30 CEST

The following code snippet from 
ucs-school-4.1r2/ucs-school-lib/python/models/utils.py contains several problems:

1) thrown exceptions are not correctly caught (→ "except Exception:")
2) if policy_result() returns without exception but univentionPWLength is not
   set, then
   _pw_length_cache[dn] = int(results.get('univentionPWLength', ['8'])[0])
   returns always hardcoded 8 as password length. Even if the argument of
   create_passwd() defined something else.
3) if a pw policy is defined for the user AND for the OU, the pw policy 
   for the OU wins:
   length = _pw_length_cache.get(ou, length)
   This should not be the case, because policy_result() already extracts the
   correct value for the user.
4) the determination of the OU's DN fails if the UCS@school user is not 
   positioned below an OU. This might be a problem since UCS@school 4.1R2.
5) if the callee requested a longer password (length=20), length may be
   overwritten by a smaller value if a pw policy is set.

def create_passwd(length=8, dn=None, specials='@#$%&*-_+=\:,.;?/()'):
  if dn:
    # get dn pw policy
    if not _pw_length_cache.get(dn):
      try:
        results, policies = policy_result(dn)
        _pw_length_cache[dn] = int(results.get('univentionPWLength', ['8'])[0])
      except Exception:
        pass
    length = _pw_length_cache.get(dn, length)

    # get ou pw policy
    ou = 'ou=' + dn[dn.find('ou=') + 3:]
    if not _pw_length_cache.get(ou):
      try:
        results, policies = policy_result(ou)
        _pw_length_cache[ou] = int(results.get('univentionPWLength', ['8'])[0])
      except Exception:
        pass
    length = _pw_length_cache.get(ou, length)

Comment 1 Sönke Schwardt-Krummrich

2019-02-05 21:43:53 CET

This issue has been filled against UCS@school 4.1 (R2). The maintenance with
bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.