Bug 45134 - univention-adsearch misparses multi-attribute filters
univention-adsearch misparses multi-attribute filters
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Lukas Oyen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 11:10 CEST by Nico Stöckigt
Modified: 2017-11-01 13:49 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Ticket number: 2017080321000614
Bug group (optional): Workaround is available
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (1.08 KB, patch)
2017-08-04 11:35 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2017-08-04 11:10:08 CEST
When using univention-adsearch with multiple filters like

# univention-ldapsearch "(&(userCertificate=*)(objectClass=computer))"

the used filter is '(&(userCertificate=*)(objectClass=computer' which is simply wrong and ends up in a TraceBack.
Comment 1 Florian Best univentionstaff 2017-08-04 11:12:34 CEST
Workaround: write the following into line 201:
filter = filter_tmp
Comment 2 Florian Best univentionstaff 2017-08-04 11:13:37 CEST
# univention-adsearch "($(objectClass=computer)(!(userCertificate=*)))" 
Traceback (most recent call last):
  File "/usr/sbin/univention-adsearch", line 204, in <module>
    msgid = lo.search_ext(configRegistry['%s/ad/ldap/base' % CONFIGBASENAME],ldap.SCOPE_SUBTREE,filter.encode('utf8'),serverctrls=[lc1,lc2])
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 548, in search_ext
    timeout,sizelimit,
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
Comment 3 Nico Stöckigt univentionstaff 2017-08-04 11:32:22 CEST
I guess this should be fixed in UCS 4.0 as well as 4.1.
Comment 4 Florian Best univentionstaff 2017-08-04 11:35:21 CEST
Created attachment 9091 [details]
patch
Comment 5 Florian Best univentionstaff 2017-08-04 11:37:29 CEST
Attached patch fixes this. The patch works for all filters like: ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))', '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar']

(In reply to Nico Stöckigt from comment #3)
> I guess this should be fixed in UCS 4.0 as well as 4.1.
No, UCS 4.0 is out of maintenance. New fixes which are not security relevant aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1.
A workaround is available by applying the attached patch to affected systems.
Comment 6 Nico Stöckigt univentionstaff 2017-08-04 12:02:08 CEST
(In reply to Florian Best from comment #5)
> Attached patch fixes this. The patch works for all filters like:
> ['objectSid=foo', '(&(objectType=computer)(objectsid=bar))',
> '(&(objectType=computer)(|(objectsid=bar)(objectSid=baz)))', 'foo=bar']
> 
> (In reply to Nico Stöckigt from comment #3)
> > I guess this should be fixed in UCS 4.0 as well as 4.1.
> No, UCS 4.0 is out of maintenance. New fixes which are not security relevant
> aren't fixed for UCS 4.1 anymore but only for UCS 4.2-1.
> A workaround is available by applying the attached patch to affected systems.

I made a version typo, of course I meant it should be fixed in 4.2 and probably also in 4.1-4.

btw. also negative filters are possible:
"(&(objectType=computer)(!(badPasswordTime=0)))"
Comment 7 Florian Best univentionstaff 2017-08-09 13:54:32 CEST
univention-ad-connector (11.0.6-21):
r81929 | Bug #45134: use ucr.is_true()
r81928 | Bug #45134: fix search filter in univention-adsearch

univention-ad-connector.yaml:
r81931 | YAML Bug #45134
Comment 8 Lukas Oyen univentionstaff 2017-08-14 12:55:46 CEST
(In reply to Florian Best from comment #7)
> r81928 | Bug #45134: fix search filter in univention-adsearch

ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)"
ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))"

fail[1]: univention-adsearch "(objectsid=*)"
fail[2]: univention-adsearch "(objectsid=S-1-5-21*)"
fail[3]: univention-adsearch "(objectsid=\))"

[1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old behaviour produced several results.
[2]: This should work, but fails with an error in `encode_object_sid_to_binary_ldapfilter()`.
[3]: While not meaningful, I think this would break the regex. This results in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old behaviour was no results.

Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok.
Comment 9 Florian Best univentionstaff 2017-08-22 13:54:40 CEST
(In reply to Lukas Oyen from comment #8)
> fail[1]: univention-adsearch "(objectsid=*)"
> [1]: This is translated into `(objectSid=\01\05\00\00\00\00\00\05)`. The old
> behaviour produced several results.
No, the old behavior didn't produce any results. It encoded it wrong, too.
I preserve this filter now.

> fail[2]: univention-adsearch "(objectsid=S-1-5-21*)"
> [2]: This should work, but fails with an error in
> `encode_object_sid_to_binary_ldapfilter()`.
The exception was the same before.
Why should this work? I think there is no substring match rule for objectSid.
I don't call encode_object_sid_to_binary_ldapfilter() anymore if the string contains a '*'.

> fail[3]: univention-adsearch "(objectsid=\))"
> [3]: While not meaningful, I think this would break the regex. This results
> in a `ldap.FILTER_ERROR: {'desc': 'Bad search filter'}`, while the old
> behaviour was no results.
OK, using a positive lookbehind for this now.

> Minor nitpick: I think the `objectsid_pattern.sub(..)` is rather unreadable. But I guess it is ok.
I made it more readable. I added a doctest string which ensures that the values/filter are correct.

univention-ad-connector (11.0.6-24):
r82406 | Bug #45134: fix search filter replacing in univention-adsearch
Comment 10 Lukas Oyen univentionstaff 2017-08-22 14:36:11 CEST
(In reply to Florian Best from comment #9)
> > fail[2]: univention-adsearch "(objectsid=S-1-5-21*)"
> Why should this work? I think there is no substring match rule for objectSid.

Right, let me rephrase that: There should not be a crude Python error.

ok: univention-adsearch "(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)"
ok: univention-adsearch "(&(objectsid=S-1-5-21-3635031200-1553950662-1512387333-1001)(!(lastLogoff=0)))"

ok: univention-adsearch "(objectsid=*)"
ok: univention-adsearch "(objectsid=S-1-5-21*)"
ok: univention-adsearch "(objectsid=\))"

Changelog/YAML: Ok.
Comment 11 Arvid Requate univentionstaff 2017-11-01 13:49:24 CET
<http://errata.software-univention.de/ucs/4.2/205.html>