python-ldap fails gloriously if the search time limit is 0. Don't allow it.

Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns immediately. ticket 752
2025-02-25 18:55:28 -06:00 · 2011-01-13 13:08:52 -05:00 · 2011-01-13 13:08:52 -05:00 · 6785283568
commit 6785283568
parent 680148ed03
2 changed files with 9 additions and 1 deletions
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@ -68,8 +68,14 @@ from ipalib import api
 from ipalib import Bool, Int, Str, IA5Str
 from ipalib.plugins.baseldap import *
 from ipalib import _
+from ipalib.errors import ValidationError


+def validate_searchtimelimit(ugettext, limit):
+    if limit == 0:
+        raise ValidationError(name='ipasearchtimelimit', error=_('searchtimelimit must be -1 or > 1.'))
+    return None
+
 class config(LDAPObject):
    """
    IPA configuration object
@ -110,7 +116,7 @@ class config(LDAPObject):
            label=_('Default e-mail domain'),
            doc=_('Default e-mail domain new users'),
        ),
-        Int('ipasearchtimelimit?',
+        Int('ipasearchtimelimit?', validate_searchtimelimit,
            cli_name='searchtimelimit',
            label=_('Search time limit'),
            doc=_('Max. amount of time (sec.) for a search (-1 is unlimited)'),
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@ -535,6 +535,8 @@ class ldap2(CrudBackend, Encoder):
                time_limit = config.get('ipasearchtimelimit', [-1])[0]
            if size_limit is None:
                size_limit = config.get('ipasearchrecordslimit', [0])[0]
+        if time_limit == 0:
+            time_limit = -1
        if not isinstance(size_limit, int):
            size_limit = int(size_limit)
        if not isinstance(time_limit, float):