Bug 41111

Summary: allocators doesn't escape values in LDAP filter
Product: UCS Reporter: Florian Best <best>
Component: UDM (Generic)Assignee: UMC maintainers <umc-maintainers>
Status: CLOSED DUPLICATE QA Contact:
Severity: normal    
Priority: P5 CC: best, geerds, gohmann, schwardt, wiesenthal
Version: UCS 4.1Flags: best: Patch_Available+
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Cleanup, Error handling, Security, Usability
Max CVSS v3 score:
Attachments: patch

Description Florian Best univentionstaff 2016-04-25 11:17:27 CEST 
Created attachment 7616 [details]
patch

The allocator.py doesn't escape values in LDAP filter.

E.g. modify a user's mailPrimaryAddress to include special characters causes ldap filter injection:
LDAP-Fehler Bad search filter: mailPrimaryAddress=tim2)@school.local

Or:
udm groups/group create --set name=foo --set mailAddress='foo(bar@school.local'
The mail address is already in use.

Attached is a patch which fixes it.

+++ This bug was initially created as a clone of Bug #28662 +++

Wird versucht über einen UDM-Allocator ein Attribut mit einem Value zu reservieren, der Klammern enthält, wird ein Traceback geworfen, weil der Suchfilter anschließend nicht gültig ist.

[...]
  File "/usr/lib/python2.4/site-packages/univention/admin/handlers/my/module.py", line 168, in _ldap_addlist
    univention.admin.allocators.request(self.lo, self.position, ldapattr, value = self[propertyname])
  File "/usr/lib/python2.4/site-packages/univention/admin/allocators.py", line 167, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope = _type2scope[type])
  File "/usr/lib/python2.4/site-packages/univention/admin/allocators.py", line 157, in acquireUnique
    if not lo.searchDn(base=searchBase, filter='%s=%s' % (attr, value)):
  File "/usr/lib/python2.4/site-packages/univention/admin/uldap.py", line 331, in searchDn
    raise univention.admin.uexceptions.ldapError, _err2str(msg)
univention.admin.uexceptions.ldapError: Bad search filter

In UCS 2.4 aufgefallen, betrifft aber alle Versionen. Es gibt noch mehr Stellen im allocator, die ebenfalls betroffen sind. Bitte mitfixen.

Der Value sollte mit ldap.filter.escape_filter_chars() vorher umkodiert werden.
Comment 1 Florian Best univentionstaff 2016-07-01 13:25:42 CEST 

*** This bug has been marked as a duplicate of bug 40129 ***