Bug 47157 – [4.2] HTTP-API import doesn't handle hyphen in class name

Bug 47157 - [4.2] HTTP-API import doesn't handle hyphen in class name


Summary:	[4.2] HTTP-API import doesn't handle hyphen in class name

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	HTTP-API (Kelvin)
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.2 v10
Assigned To:	Daniel Tröder
QA Contact:	Ole Schwiegert

URL:
Keywords:

Depends on:	47156
Blocks:
	Show dependency tree / graph

Reported:	2018-06-07 14:25 CEST by Daniel Tröder
Modified:	2018-07-04 18:07 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2018-06-07 14:25:02 CEST

Backport to UCS@school 4.2.

+++ This bug was initially created as a clone of Bug #47156 +++

When a CSV file containing class names with a hyphen is imported, the part before the hyphen is interpreted as school name and an error occurs, because the school is (hopefully) unknown. The school is however known beforehand, because the HTTP-API import requires it.
Furthermore an import to a different school than the one configured is not allowed. So this is actually a security breach!

Comment 1 Daniel Tröder

2018-06-07 14:44:58 CEST

In the configuration was missing the use of a CSV reader class. This CSV reader makes sure that the school name is always prepended to the class name.

[4.2] 8b6f145e Bug #47157: HTTP-API must always prepend school name to class names
[4.2] b8a2eee2 Bug #47157: advisory


ucs-school-import (15.0.3-47)

Comment 2 Daniel Tröder

2018-06-11 14:15:58 CEST

The reader class for CSV files is now configured by /usr/share/ucs-school-import/configs/user_import_http-api.json, overwritable by /var/lib/ucs-school-import/configs/user_import_http-api.json, which are now both always read.

Additionally the config is checked at runtime, to verify that the used reader is ucsschool.importer.reader.http_api_csv_reader.HttpApiCsvReader or a cubcloass of it.

[4.2] b2c38af2 Bug #47157: create HTTP-API test class
[4.2] 70f47a70 Bug #47157: add check that school names in classes column are not used
[4.2] 1166fa39 Bug #47157: add docstring
[4.2] 1621e7e2 Bug #47157: force use of HttpApiCsvReader
[4.2] 941a38ed Bug #47157: always use default and custom user_import_http-api.json, check class of active CSV reader
[4.2] b00c0de3 Bug #47157: changelog
[4.2] d10db6e0 Bug #47157: advisory


ucs-school-import (15.0.3-49)
ucs-test-ucsschool (4.0.4-95)

Comment 3 Daniel Tröder

2018-06-12 12:08:55 CEST

[4.2] 59254a76 Bug #47157: fix double .json, strip whitespace from class names, remove test class
[4.2] 2d4143ae Bug #47157: changelog
[4.2] 08458f83 Bug #47157: advisory update

ucs-school-import (15.0.3-52)

Comment 4 Ole Schwiegert

2018-06-15 09:18:28 CEST

the config file is now properly created and imported OK
school name is added as prefix OK
import ran successfully
Manual was adapted OK
reader checked OK
changelog OK
advisory OK

Comment 5 Sönke Schwardt-Krummrich

2018-07-04 18:07:50 CEST

UCS@school 4.2 v10 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.2v10-de.html

If this error occurs again, please clone this bug.