First Last Prev Next    This bug is not in your last search results.
Bug 42405 - escape DN's in ucsschool.lib.schoolldap
escape DN's in ucsschool.lib.schoolldap
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: Ucsschool-lib
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 5.0 v1
Assigned To: Florian Best
Christian Castens
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-15 13:21 CEST by Florian Best
Modified: 2021-11-29 17:20 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup, Error handling, Troubleshooting
Max CVSS v3 score:
best: Patch_Available+

Attachments
patch (4.21 KB, patch)
2016-09-15 13:21 CEST, Florian Best 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-09-15 13:21:23 CEST 
Created attachment 8012 [details]
patch

There are some DN's which are configurable via UCR variables. They currently can break UCS@school or allow LDAP DN injections as they are not escaped.

Attached patch fixes this.
Comment 1 Michel Smidt 2020-07-09 14:23:47 CEST 
This issue has been filed against UCS@school 4.1.

UCS@school 4.1 is out of maintenance and many UCS@school components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS@school versions, please reopen it and update the UCS@school version. In this case please provide detailed information on how this issue is affecting you.
Comment 2 Florian Best univentionstaff 2020-07-09 14:25:33 CEST 
Still unfixed.
Comment 4 Florian Best univentionstaff 2021-07-09 14:36:47 CEST 
Fixed in:

ucs-school-lib (13.0.4)
931452b9b849 | Bug #42405: escape DNs in ucsschool.lib.schoolldap
Comment 5 Florian Best univentionstaff 2021-08-23 11:20:06 CEST 
ucs-school-lib (13.0.4)
a84d8b690100 | Bug #42405: [ucs-school-lib] escape LDAP DN's and filters

ucs-school-import (18.0.1)
39b5c5574e0c | Bug #42405: [ucs-school-import] escape LDAP DN's and filters
Comment 6 Christian Castens univentionstaff 2021-08-26 10:14:11 CEST 
QA:   
ucs-school-lib: LDAP DN's and filters are escaped     OK
ucs-school-import: LDAP DN's and filters are escapd   OK
Comment 7 Jürn Brodersen univentionstaff 2021-11-29 17:20:06 CET 
UCS@school 5.0 v1 has been released.

https://docs.software-univention.de/release-notes-ucsschool-5.0v1-de.html

If this error occurs again, please clone this bug.
First Last Prev Next    This bug is not in your last search results.