Add some basic filter validation to permissions and disallow empty filters

Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.

ticket 808
This commit is contained in:
Rob Crittenden 2011-01-20 16:35:34 -05:00
parent c22a3d25da
commit fc28fae03f
3 changed files with 32 additions and 4 deletions

View File

@ -1347,6 +1347,22 @@ class InvalidSyntax(ExecutionError):
format = _('%(attr)s: Invalid syntax.')
class BadSearchFilter(ExecutionError):
"""
**4209** Raised when an invalid LDAP search filter is used
For example:
>>> raise BadSearchFilter(info='')
Traceback (most recent call last):
...
BadSearchFilter: Bad search filter
"""
errno = 4209
format = _('Bad search filter %(info)s')
class CertificateError(ExecutionError):
"""
**4300** Base class for Certificate execution errors (*4300 - 4399*).

View File

@ -163,7 +163,7 @@ aci_output = (
def _make_aci(current, aciname, kw):
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
@ -222,6 +222,16 @@ def _make_aci(current, aciname, kw):
entry_attrs = api.Command['group_show'](kw['memberof'])['result']
a.set_target_filter('memberOf=%s' % entry_attrs['dn'])
if 'filter' in kw:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
entries = ldap.find_entries(filter=kw['filter'])
except errors.NotFound:
pass
a.set_target_filter(kw['filter'])
if 'type' in kw:
target = _type_map[kw['type']]
@ -440,7 +450,7 @@ class aci_add(crud.Create):
assert 'aciname' not in kw
ldap = self.api.Backend.ldap2
newaci = _make_aci(None, aciname, kw)
newaci = _make_aci(ldap, None, aciname, kw)
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
@ -544,7 +554,7 @@ class aci_mod(crud.Update):
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(None, aciname, newkw)
newaci = _make_aci(ldap, None, aciname, newkw)
if aci.isequal(newaci):
raise errors.EmptyModlist()
@ -821,7 +831,7 @@ class aci_rename(crud.Update):
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
newaci = _make_aci(None, kw['newname'], newkw)
newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname)

View File

@ -108,6 +108,8 @@ def _handle_errors(e, **kw):
raise errors.LimitsExceeded()
except _ldap.NOT_ALLOWED_ON_RDN:
raise errors.NotAllowedOnRDN(attr=info)
except _ldap.FILTER_ERROR:
raise errors.BadSearchFilter(info=info)
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e: