IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

validate_principal: Don't try to verify that the realm is known

Browse Source 
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).

This fixes CVE-2024-1481

Fixes: https://pagure.io/freeipa/issue/9541

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden
2024-02-22 08:29:31 -05:00
parent 404fe1018e
commit 33af154b7f
2 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ipalib/install/kinit.py
View File

@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
from ipapython.ipautil import run from ipapython.ipautil import run
from ipalib.constants import PATTERN_GROUPUSER_NAME from ipalib.constants import PATTERN_GROUPUSER_NAME
from ipalib.util import validate_hostname from ipalib.util import validate_hostname
from ipalib import api
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@@ -39,7 +38,9 @@ def validate_principal(principal):
if ('/' in principal) and (' ' in principal): if ('/' in principal) and (' ' in principal):
raise RuntimeError('Invalid principal: bad spacing') raise RuntimeError('Invalid principal: bad spacing')
else: else:
realm = None # For a user match in the regex
# username = match[1]
# realm = match[2]
match = user_pattern.match(principal) match = user_pattern.match(principal)
if match is None: if match is None:
match = service_pattern.match(principal) match = service_pattern.match(principal)
@@ -48,16 +49,11 @@ def validate_principal(principal):
else: else:
# service = match[1] # service = match[1]
hostname = match[2] hostname = match[2]
realm = match[3] # realm = match[3]
try: try:
validate_hostname(hostname) validate_hostname(hostname)
except ValueError as e: except ValueError as e:
raise RuntimeError(str(e)) raise RuntimeError(str(e))
else: # user match, validate realm
# username = match[1]
realm = match[2]
if realm and 'realm' in api.env and realm != api.env.realm:
raise RuntimeError('Invalid principal: realm mismatch')
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):

9
ipatests/test_ipalib_install/test_kinit.py
View File

@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
('test/ipa.example.test@EXAMPLE.TEST', None), ('test/ipa.example.test@EXAMPLE.TEST', None),
('test/ipa@EXAMPLE.TEST', RuntimeError), ('test/ipa@EXAMPLE.TEST', RuntimeError),
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError), ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError), ('test/ipa.1example.test@EXAMPLE.TEST', None),
('test /ipa.example,test', RuntimeError), ('test /ipa.example,test', RuntimeError),
('testuser@OTHER.TEST', RuntimeError), ('testuser@OTHER.TEST', None),
('test/ipa.example.test@OTHER.TEST', RuntimeError), ('test/ipa.example.test@OTHER.TEST', None)
]) ])
def test_validate_principal(principal, exception): def test_validate_principal(principal, exception):
try: try:
validate_principal(principal) validate_principal(principal)
except Exception as e: except Exception as e:
assert e.__class__ == exception assert e.__class__ == exception
else:
if exception is not None:
raise RuntimeError('Test should have failed')