Univention Bugzilla – Attachment 8173 Details for
Bug 42804
Missing ldap filter escaping in mail
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
42804.patch (text/plain), 2.31 KB, created by
Florian Best
on 2016-10-31 16:04 CET
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Florian Best
Created:
2016-10-31 16:04 CET
Size:
2.31 KB
patch
obsolete
>diff --git a/mail/univention-mail-postfix/share/listfilter.py b/mail/univention-mail-postfix/share/listfilter.py >index 2204c53..8fa1e2f 100755 >--- a/mail/univention-mail-postfix/share/listfilter.py >+++ b/mail/univention-mail-postfix/share/listfilter.py >@@ -37,6 +37,8 @@ > import re > import traceback > import syslog >+ >+from ldap.filter import filter_format > from univention.config_registry import ConfigRegistry > > usage = "help" >@@ -79,7 +81,7 @@ def listfilter(attrib): > # try the ldap stuff, if that fails send email anyway > # get recipient restriction > ldap_attr = ["univentionAllowedEmailGroups", "univentionAllowedEmailUsers"] >- ldap_filter = '(&(mailPrimaryAddress=%s)(|(objectclass=univentionMailList)(objectclass=posixGroup)))' % recipient >+ ldap_filter = filter_format('(&(mailPrimaryAddress=%s)(|(objectclass=univentionMailList)(objectclass=posixGroup)))', [recipient]) > result = ldap.search(base=options.ldap_base, filter=ldap_filter, attr=ldap_attr) > > if result: >@@ -99,13 +101,13 @@ def listfilter(attrib): > > # get dn and groups of sender > if check_sasl_username: >- ldap_filter = '(&(uid=%s)(objectclass=posixAccount))' % sender >+ ldap_filter = filter_format('(&(uid=%s)(objectclass=posixAccount))', [sender]) > else: >- ldap_filter = '(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))' % (sender, sender, sender) >+ ldap_filter = filter_format('(&(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))(objectclass=posixAccount))', (sender, sender, sender)) > user_result = ldap.search(base=options.ldap_base, filter=ldap_filter, attr=["dn"]) > if user_result: > user_dn = user_result[0][0] >- ldap_filter = '(uniqueMember=%s)' % user_dn >+ ldap_filter = filter_format('(uniqueMember=%s)', [user_dn]) > group_result = ldap.search(base=options.ldap_base, filter=ldap_filter, attr=["dn"]) > if group_result: > for i in group_result: >@@ -136,7 +138,7 @@ def listfilter(attrib): > return "DUNNO no restrictions" > else: > return "DUNNO no group found for %s" % recipient >- except Exception: >+ except Exception: # FIXME: never catch everything > return "WARN Error with attrib={}, check_sasl_username={}, traceback={}".format( > attrib, check_sasl_username, traceback.format_exc().replace("\n", " ")) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8173">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 42804
: 8173