Univention Bugzilla – Full Text Bug Listing |
Summary: | password reset: on reset user has to use uid instead of mail-address (behaviour with pw change is different) | ||
---|---|---|---|
Product: | UCS | Reporter: | Jens Thorp-Hansen <thorp-hansen> |
Component: | Self Service | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, troeder, walkenhorst |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Jens Thorp-Hansen
2015-11-20 11:18:08 CET
Commit 65901 (YAML 65903) adds support to allow to login/request-reset with an email address instead of the username. Please don't use the "assert" statement in productive code as this might be stripped due to optimization (python -OO). That code is broken: 549 » » dn_part = groupdn.partition(",") 550 » » gidf = dn_part[0] 551 » » base = dn_part[-1] Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead! Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 283, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 120, in _decorated return func(self, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 190, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 347, in get_reset_methods blacklisted = self.is_blacklisted(username) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 460, in is_blacklisted groups_dns.extend(self.get_nested_groups(group_dn)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 496, in get_nested_groups group = self.get_udm_group(groupdn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 562, in get_udm_group group = self.groupmod.lookup(self.config, self.lo, filter_s=gidf, base=base)[0] File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 1100, in lookup for dn, attrs in lo.search(unicode(filter), base, scope, [], unique, required, timeout, sizelimit): File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 359, in search raise univention.admin.uexceptions.ldapError('%s: %s' % (_err2str(msg), filter)) ldapError: Bad search filter: (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))(cn=Foo-Gruppe (BAR))) Please remove also every use of univention.admin.config.config. This is a deprecated thing we nowhere use anymore. 523 » » » » if not self.config: 524 » » » » » self.config = univention.admin.config.config() 66046(In reply to Florian Best from comment #3) > That code is broken: > 549 » » dn_part = groupdn.partition(",") > 550 » » gidf = dn_part[0] > 551 » » base = dn_part[-1] > > Use ldap.explode_dn() and ldap.filter.escape_filter_chars() instead! > > Traceback (most recent call last): [..] > ldapError: Bad search filter: > (&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping))) > (cn=Foo-Gruppe (BAR))) This code is out there on customer systems. If you find a way to break the system, please provide the data, so that it can be reproduced. r66046: str.partition() has been replaced by ldap.explode_dn() escape_filter_chars() is used where data comes from user input. The DNs in this code come from UDM. (In reply to Florian Best from comment #4) > Please remove also every use of univention.admin.config.config. This is a > deprecated thing we nowhere use anymore. No - those calls are everywhere in UDM! But it seems useless, so I remove the code. Works now with the lates changes. I wrote a test case in svn r66129. YAML: adjusted in svn r66131. |