Bug 40765 – broken ldap filters in printer.py and printergroup.py causes no validation when changing quota settings

Bug 40765 - broken ldap filters in printer.py and printergroup.py causes no validation when changing quota settings


Summary:	broken ldap filters in printer.py and printergroup.py causes no validation wh...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC - Printers
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-1-errata
Assigned To:	Florian Best
QA Contact:	Johannes Keiser

URL:
Keywords:

Duplicates:	7430 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-02-24 12:49 CET by Florian Best
Modified:	2017-07-26 14:39 CEST (History)
CC List:	1 user (show)

See Also:	29707
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Cleanup, Error handling, Troubleshooting
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
patch (5.63 KB, patch) 2016-02-24 15:29 CET, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-02-24 12:49:01 CET

univention/admin/handlers/shares/printer.py:
328 »   »   »   printergroups=self.lo.searchDn(filter='(&(objectClass=univentionPrinterGroup)(univentionPrinterQuotaSupport=1)(univentionPrinterSpoolHost=%s))' % self.info['spoolHost'])

>>> filter='(&(objectClass=univentionPrinterGroup)(univentionPrinterQuotaSupport=1)(univentionPrinterSpoolHost=%s))' % self.info['spoolHost']
>>> filter
"(&(objectClass=univentionPrinterGroup)(univentionPrinterQuotaSupport=1)(univentionPrinterSpoolHost=['master90.ucs.test']))"

→ Broken LDAP filter!
1. Filter is broken as it contains the python representation of a list
2. Filter is broken because a multivalue field is used to create one filter
3. There is no escaping of invalid characters leading to ldap search filter injections.

Broken in printer.py: _ldap_pre_modify, _ldap_pre_remove
Broken in printergroup.py: _ldap_modlist, _ldap_pre_remove, isValidPrinterObject

Comment 1 Florian Best

2016-02-24 15:29:56 CET

Created attachment 7501 [details]
patch

Patch (did not test it live but should work fine :))

Comment 2 Florian Best

2016-08-17 14:43:48 CEST

*** Bug 7430 has been marked as a duplicate of this bug. ***

Comment 3 Florian Best

2017-07-13 14:25:40 CEST

Rebased patch has been applied. Some changes like the escaping were already done. Some typos have been fixed which would cause tracebacks.

Now when trying to remove a printer which is part of a printer group with no other members an error message is shown and vice versa.
The detection for multiple spool hosts is also working, which is needed since Bug #29707.

univention-directory-manager-modules (12.0.17-88):
r81136 | Bug #40765: fix validation of modifying/removing of printers / printer groups

univention-directory-manager-modules.yaml:
r81137 | YAML Bug #40765

Comment 4 Johannes Keiser

2017-07-17 14:40:56 CEST

OK Deleting a printer with multiple spoolhosts from printergroup with only one member shows error

YAML: OK
-> verified

Comment 5 Erik Damrose

2017-07-26 14:39:21 CEST

<http://errata.software-univention.de/ucs/4.2/115.html>