mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
Add some basic filter validation to permissions and disallow empty filters
Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808
This commit is contained in:
parent
c22a3d25da
commit
fc28fae03f
@ -1347,6 +1347,22 @@ class InvalidSyntax(ExecutionError):
|
||||
format = _('%(attr)s: Invalid syntax.')
|
||||
|
||||
|
||||
class BadSearchFilter(ExecutionError):
|
||||
"""
|
||||
**4209** Raised when an invalid LDAP search filter is used
|
||||
|
||||
For example:
|
||||
|
||||
>>> raise BadSearchFilter(info='')
|
||||
Traceback (most recent call last):
|
||||
...
|
||||
BadSearchFilter: Bad search filter
|
||||
"""
|
||||
|
||||
errno = 4209
|
||||
format = _('Bad search filter %(info)s')
|
||||
|
||||
|
||||
class CertificateError(ExecutionError):
|
||||
"""
|
||||
**4300** Base class for Certificate execution errors (*4300 - 4399*).
|
||||
|
@ -163,7 +163,7 @@ aci_output = (
|
||||
|
||||
|
||||
|
||||
def _make_aci(current, aciname, kw):
|
||||
def _make_aci(ldap, current, aciname, kw):
|
||||
"""
|
||||
Given a name and a set of keywords construct an ACI.
|
||||
"""
|
||||
@ -222,6 +222,16 @@ def _make_aci(current, aciname, kw):
|
||||
entry_attrs = api.Command['group_show'](kw['memberof'])['result']
|
||||
a.set_target_filter('memberOf=%s' % entry_attrs['dn'])
|
||||
if 'filter' in kw:
|
||||
# Test the filter by performing a simple search on it. The
|
||||
# filter is considered valid if either it returns some entries
|
||||
# or it returns no entries, otherwise we let whatever exception
|
||||
# happened be raised.
|
||||
if kw['filter'] in ('', None, u''):
|
||||
raise errors.BadSearchFilter(info=_('empty filter'))
|
||||
try:
|
||||
entries = ldap.find_entries(filter=kw['filter'])
|
||||
except errors.NotFound:
|
||||
pass
|
||||
a.set_target_filter(kw['filter'])
|
||||
if 'type' in kw:
|
||||
target = _type_map[kw['type']]
|
||||
@ -440,7 +450,7 @@ class aci_add(crud.Create):
|
||||
assert 'aciname' not in kw
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
newaci = _make_aci(None, aciname, kw)
|
||||
newaci = _make_aci(ldap, None, aciname, kw)
|
||||
|
||||
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
|
||||
|
||||
@ -544,7 +554,7 @@ class aci_mod(crud.Update):
|
||||
|
||||
# _make_aci is what is run in aci_add and validates the input.
|
||||
# Do this before we delete the existing ACI.
|
||||
newaci = _make_aci(None, aciname, newkw)
|
||||
newaci = _make_aci(ldap, None, aciname, newkw)
|
||||
if aci.isequal(newaci):
|
||||
raise errors.EmptyModlist()
|
||||
|
||||
@ -821,7 +831,7 @@ class aci_rename(crud.Update):
|
||||
|
||||
# _make_aci is what is run in aci_add and validates the input.
|
||||
# Do this before we delete the existing ACI.
|
||||
newaci = _make_aci(None, kw['newname'], newkw)
|
||||
newaci = _make_aci(ldap, None, kw['newname'], newkw)
|
||||
|
||||
self.api.Command['aci_del'](aciname)
|
||||
|
||||
|
@ -108,6 +108,8 @@ def _handle_errors(e, **kw):
|
||||
raise errors.LimitsExceeded()
|
||||
except _ldap.NOT_ALLOWED_ON_RDN:
|
||||
raise errors.NotAllowedOnRDN(attr=info)
|
||||
except _ldap.FILTER_ERROR:
|
||||
raise errors.BadSearchFilter(info=info)
|
||||
except _ldap.SUCCESS:
|
||||
pass
|
||||
except _ldap.LDAPError, e:
|
||||
|
Loading…
Reference in New Issue
Block a user