Bug 47157 - [4.2] HTTP-API import doesn't handle hyphen in class name
[4.2] HTTP-API import doesn't handle hyphen in class name
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: HTTP-API
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v10
Assigned To: Daniel Tröder
Ole Schwiegert
:
Depends on: 47156
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-07 14:25 CEST by Daniel Tröder
Modified: 2018-07-04 18:07 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2018-06-07 14:25:02 CEST
Backport to UCS@school 4.2.

+++ This bug was initially created as a clone of Bug #47156 +++

When a CSV file containing class names with a hyphen is imported, the part before the hyphen is interpreted as school name and an error occurs, because the school is (hopefully) unknown. The school is however known beforehand, because the HTTP-API import requires it.
Furthermore an import to a different school than the one configured is not allowed. So this is actually a security breach!
Comment 1 Daniel Tröder univentionstaff 2018-06-07 14:44:58 CEST
In the configuration was missing the use of a CSV reader class. This CSV reader makes sure that the school name is always prepended to the class name.

[4.2] 8b6f145e Bug #47157: HTTP-API must always prepend school name to class names
[4.2] b8a2eee2 Bug #47157: advisory


ucs-school-import (15.0.3-47)
Comment 2 Daniel Tröder univentionstaff 2018-06-11 14:15:58 CEST
The reader class for CSV files is now configured by /usr/share/ucs-school-import/configs/user_import_http-api.json, overwritable by /var/lib/ucs-school-import/configs/user_import_http-api.json, which are now both always read.

Additionally the config is checked at runtime, to verify that the used reader is ucsschool.importer.reader.http_api_csv_reader.HttpApiCsvReader or a cubcloass of it.

[4.2] b2c38af2 Bug #47157: create HTTP-API test class
[4.2] 70f47a70 Bug #47157: add check that school names in classes column are not used
[4.2] 1166fa39 Bug #47157: add docstring
[4.2] 1621e7e2 Bug #47157: force use of HttpApiCsvReader
[4.2] 941a38ed Bug #47157: always use default and custom user_import_http-api.json, check class of active CSV reader
[4.2] b00c0de3 Bug #47157: changelog
[4.2] d10db6e0 Bug #47157: advisory


ucs-school-import (15.0.3-49)
ucs-test-ucsschool (4.0.4-95)
Comment 3 Daniel Tröder univentionstaff 2018-06-12 12:08:55 CEST
[4.2] 59254a76 Bug #47157: fix double .json, strip whitespace from class names, remove test class
[4.2] 2d4143ae Bug #47157: changelog
[4.2] 08458f83 Bug #47157: advisory update

ucs-school-import (15.0.3-52)
Comment 4 Ole Schwiegert univentionstaff 2018-06-15 09:18:28 CEST
the config file is now properly created and imported OK
school name is added as prefix OK
import ran successfully
Manual was adapted OK
reader checked OK
changelog OK
advisory OK
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2018-07-04 18:07:50 CEST
UCS@school 4.2 v10 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.2v10-de.html

If this error occurs again, please clone this bug.