IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

batch command can be used to trigger internal errors on server

Browse Source 
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)

https://fedorahosted.org/freeipa/ticket/5810

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2016-05-27 08:19:39 +02:00 committed by Martin Basti
parent 9f48c39649
commit 2c7ec27ad9
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ipaserver/plugins/batch.py
View File

@ -90,6 +90,12 @@ class batch(Command):
def execute(self, methods=None, **options): def execute(self, methods=None, **options):
results = [] results = []
for arg in (methods or []): for arg in (methods or []):
# As take_args = Any, no check is done before
# Need to make sure that methods contain dict objects
if not isinstance(arg, dict):
raise errors.ConversionError(
name='methods',
error=_(u'must contain dict objects'))
params = dict() params = dict()
name = None name = None
try: try:
@ -100,9 +106,21 @@ class batch(Command):
name = arg['method'] name = arg['method']
if name not in self.Command: if name not in self.Command:
raise errors.CommandError(name=name) raise errors.CommandError(name=name)
a, kw = arg['params']
newkw = dict((str(k), v) for k, v in kw.items()) # If params are not formated as a tuple(list, dict)
params = api.Command[name].args_options_2_params(*a, **newkw) # the following lines will raise an exception
# that triggers an internal server error
# Raise a ConversionError instead to report the issue
# to the client
try:
a, kw = arg['params']
newkw = dict((str(k), v) for k, v in kw.items())
params = api.Command[name].args_options_2_params(
*a, **newkw)
except (AttributeError, ValueError, TypeError):
raise errors.ConversionError(
name='params',
error=_(u'must contain a tuple (list, dict)'))
newkw.setdefault('version', options['version']) newkw.setdefault('version', options['version'])
result = api.Command[name](*a, **newkw) result = api.Command[name](*a, **newkw)