ehlo,
attached two patches fix a crash in nss responder,
which was caused by recent Sumit's patches.
The 1st patch cannot be applied to master because
I plan do do some changes in ldap integration tests in different thread.
But the patch with test is attached. So there will not be a such regressions
in future
LS
>From a719c49ccf7dda883465272439e253210446faab Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Tue, 2 Aug 2016 14:35:23 +0200
Subject: [PATCH 1/3] test_ldap: test resolving of names with special
characters
---
src/tests/intg/test_ldap.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index
49c1e73d6d69d25799af092103b2aa3826b22776..d8d721ea0b52e59af59b2a1ac8a31e949164167b
100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -237,6 +237,9 @@ def sanity_rfc2307(request, ldap_conn):
ent_list.add_group("empty_group", 2010)
ent_list.add_group("two_user_group", 2012, ["user1", "user2"])
+
+ ent_list.add_user("t(u)ser", 5000, 5001)
+ ent_list.add_group("group(_u)ser1", 5001, ["t(u)ser"])
create_ldap_fixture(request, ldap_conn, ent_list)
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307)
@@ -837,3 +840,14 @@ def test_user_2307bis_nested_groups(ldap_conn,
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(expected_gids)])
)
+
+def test_special_characters_in_names(ldap_conn, sanity_rfc2307):
+ ent.assert_passwd_by_name(
+ "t(u)ser",
+ dict(name="t(u)ser", passwd="*", uid=5000, gid=5001,
+ gecos="5000", shell="/bin/bash"))
+
+ ent.assert_group_by_name(
+ "group(_u)ser1",
+ dict(name="group(_u)ser1", passwd="*", gid=5001,
+ mem=ent.contains_only("t(u)ser")))
--
2.9.2
>From fc996854108a30d7ac0b3528b60dc74162c67e93 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Tue, 2 Aug 2016 15:20:35 +0200
Subject: [PATCH 2/3] SDAP: sanitize member name before using in filter
It caused an errors.
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(nameAlias=t(u)ser@ldap))
(Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users]
(0x0080): Error: 5 (Input/output error)
---
src/providers/ldap/sdap_async_groups.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async_groups.c
b/src/providers/ldap/sdap_async_groups.c
index
102c1c0384be6da8732d56b7a318ded5a5132360..f19b68b8c403734f88b51a411ba0d009977d3491
100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1501,6 +1501,7 @@ sdap_process_missing_member_2307(struct
sdap_process_group_state *state,
const char *filter;
const char *username;
const char *user_dn;
+ char *sanitized_name;
size_t count;
struct ldb_message **msgs = NULL;
static const char *attrs[] = { SYSDB_NAME, NULL };
@@ -1508,8 +1509,16 @@ sdap_process_missing_member_2307(struct
sdap_process_group_state *state,
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
+ ret = sss_filter_sanitize(tmp_ctx, member_name, &sanitized_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to sanitize the given name:'%s'.\n", member_name);
+ goto done;
+ }
+
/* Check for the alias in the sysdb */
- filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS,
member_name);
+ filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS,
+ sanitized_name);
if (!filter) {
ret = ENOMEM;
goto done;
--
2.9.2
>From 3f0bcf5c66fcaa8f73f471d4b5d4fddf8857381b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Tue, 2 Aug 2016 15:20:19 +0200
Subject: [PATCH 3/3] SYSDB: Sanitize dn in sysdb_get_user_members_recursively
There was a crash in nss responder when a group contained
a user with special charactes which shoudl be sanitized before
using in filter.
---
src/db/sysdb_ops.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index
ed177d1730723a61e01167a75a0baca6d81252f8..342e16fb20e2c418745b137162425509ca1fd0cb
100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4722,6 +4722,7 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX
*mem_ctx,
struct ldb_result *res;
struct ldb_dn *base_dn;
char *filter;
+ char *sanitized_name;
const char *attrs[] = SYSDB_PW_ATTRS;
struct ldb_message **msgs;
@@ -4737,8 +4738,17 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX
*mem_ctx,
goto done;
}
+ ret = sss_filter_sanitize(tmp_ctx, ldb_dn_get_linearized(group_dn),
+ &sanitized_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to sanitize the given name:'%s'.\n",
+ ldb_dn_get_linearized(group_dn));
+ goto done;
+ }
+
filter = talloc_asprintf(tmp_ctx, "(&("SYSDB_UC")("SYSDB_MEMBEROF"=%s))",
- ldb_dn_get_linearized(group_dn));
+ sanitized_name);
if (filter == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
ret = ENOMEM;
--
2.9.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
