Univention Bugzilla – Full Text Bug Listing |
Summary: | No check for invalid countryName in LDAP base | ||
---|---|---|---|
Product: | UCS | Reporter: | Jürn Brodersen <brodersen> |
Component: | System setup | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, hahn, klaeser, walkenhorst |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Jürn Brodersen
2015-11-13 15:40:57 CET
It would be so easy If we already have a running LDAP server:
>>> try:
... lo.search_s(dn, ldap.SCOPE_BASE)
... except ldap.INVALID_DN_SYNTAX:
... return False
... except ldap.LDAPError:
... pass
... return True
Otherwise we could just restrict C to only 2 letters in the regex and hope that there are no more invalid combinations:
re.compile('^(c=[A-Za-z]{2}|(dc|cn|o|l)=[a-zA-Z0-9-]+)(,(c=[A-Za-z]{2}|((dc|cn|o|l)=[a-zA-Z0-9-]+)))+$')
I could not imagine a better solution than adapting the regex. We could also use ldap.dn.explodeDn() which validates even a little bit more (syntax) but doesn't validate this case and also allows more than our current restrictions. As I think it doesn't happen often I did not touch the javascript validation nor adapted help texts. countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is available from: map(operator.itemgetter(0), univention.admin.syntax.Country.choices) (In reply to Daniel Tröder from comment #3) > countryName should be 'RFC2256: ISO-3166 country 2-letter code'. That is > available from: > > map(operator.itemgetter(0), univention.admin.syntax.Country.choices) Well, openldap allows ZZ as country code in an ldap base. Nevertheless I changed it by checking a static list. FYI: We should avoid using syntax classes in the regular code as they are part of UDM and probably not meant to be used outside. univention-system-setup (9.0.2-25): r66731 | Bug #39941: Bug #39376: restrict country codes in ldap/base; fix UMC-Webserver restart OK: code OK: advisory OK: manual test: python -c 'from univention.management.console.modules.setup.util import is_ldap_base; print is_ldap_base("dc=foo,dc=bar"); print is_ldap_base("c=de,dc=foo,dc=bar"); print is_ldap_base("c=dd,dc=foo,dc=bar")' True True False |