Univention Bugzilla – Bug 40041
no escaping of DN when composing DN for newly created objects
Last modified: 2016-09-21 18:10:18 CEST
Created attachment 7314 [details] patch All handlers aren't sanitizing the values. Users can enter e.g. "foo,cn=bar" (resulting that the objects gets created in the subcontainer bar) or "foo+bar" (resulting in LDAP errors). Most handlers are protected by their syntax classes which doesn't allow e.g. '+' in their name but not all. At least mail/*.py and container/cn.py is broken. All handlers are infected if one sets the syntaxclass to "string". Patch: sed -i "s/self.dn='/self.dn = '/g; /self.dn = / s/mapping.mapValue([^)]*)/ldap.dn.escape_dn_chars(\0)/; s/^# <http:\/\/www.gnu.org\/licenses\/>.$/\0\n\nimport ldap/" $(rgrep -l 'self.dn\s*=' ) Plus the changes in the handlers: users/user.py settings/xconfig_choices.py settings/directory.py mail/folder.py kerberos/kdcentry.py container/dc.py Everything together in the attached patch.
*** Bug 17848 has been marked as a duplicate of this bug. ***
The DN generation has been moved to the simpleLDAP class. It uses by default all properties which has identifies==True to generate the name (so it is also able to create multivalued RDN's). univention-directory-manager-modules (11.0.3-17): r70588 | Bug #40041: escape special chars in DN's when creating objects
Also fixed uldap.py to be able to work with multi valued RDN's: univention-directory-manager-modules (11.0.3-23): r70680 | Bug #40041: autopep8 r70679 | Bug #40041: handle multivalued RDN's
FYI: ldap.AVA_STRING := 1, ldap.AVA_BINARY := 2 OK: r70588, r70685 OK: MV-RDN OK: 40041-test OK: r70588 r70596 r70598 r70599 r70679 r70680 r70685 r70686 OK: udm container/cn create --set name=foo,ou=bar OK: udm container/cn create --set name=foo+ou=bar OK: kerberos/kdcentry.py OK: mail/folder.py OK: settings/directory OK: settings/xconfig_choices OK: users/user OK: container/dc creating it was not possible previously, not it works. It was disabled on purpose as something broke with multiple Domain-Component objects. OK: rename multi-valued FIXED: TypeError: %d format: a number is required, not str OK: r70716, r70727 FIXED: univention-directory-manager-modules.yaml r70691 r70729 OK: errata-announce -V --only univention-directory-manager-modules.yaml FIXED: univention-python.yaml r70691 r70729 OK: errata-announce -V --only univention-python.yaml FYI: There are some cases, where DNs are compared for equality. They are broken as only the LDAP schema on the server has the information which RDNs are case-sensitive and which aren't for example. Further multi-valued RDNs are not handled correctly, as "a=1+b=2" and "b=2+a=1" are the same. Ignoring those issues for now (uldap.py r70728 | Bug #41580 test: Test uldap.py Package: ucs-test Version: 6.0.33-82.1494.201606291918 Branch: ucs_4.1-0 Scope: errata4.1-2
<http://errata.software-univention.de/ucs/4.1/207.html> <http://errata.software-univention.de/ucs/4.1/208.html>
*** Bug 32317 has been marked as a duplicate of this bug. ***
*** Bug 34749 has been marked as a duplicate of this bug. ***
*** Bug 41032 has been marked as a duplicate of this bug. ***
*** Bug 41235 has been marked as a duplicate of this bug. ***