diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-01-20 16:35:34 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-21 10:47:43 -0500 |
commit | fc28fae03fd1510d571a5011ef9d712c7778e578 (patch) | |
tree | fcdb81011c3e9a55cd637c1d7e46a499fd431e85 /ipalib | |
parent | c22a3d25daee443db2e408c5325242691a62062e (diff) | |
download | freeipa-fc28fae03fd1510d571a5011ef9d712c7778e578.tar.gz freeipa-fc28fae03fd1510d571a5011ef9d712c7778e578.tar.xz freeipa-fc28fae03fd1510d571a5011ef9d712c7778e578.zip |
Add some basic filter validation to permissions and disallow empty filters
Try a query with a filter to see if it is at least legal. This doesn't
guarantee that the filter is at all otherwise sane.
ticket 808
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/errors.py | 16 | ||||
-rw-r--r-- | ipalib/plugins/aci.py | 18 |
2 files changed, 30 insertions, 4 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index 225019041..faa9e8119 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1347,6 +1347,22 @@ class InvalidSyntax(ExecutionError): format = _('%(attr)s: Invalid syntax.') +class BadSearchFilter(ExecutionError): + """ + **4209** Raised when an invalid LDAP search filter is used + + For example: + + >>> raise BadSearchFilter(info='') + Traceback (most recent call last): + ... + BadSearchFilter: Bad search filter + """ + + errno = 4209 + format = _('Bad search filter %(info)s') + + class CertificateError(ExecutionError): """ **4300** Base class for Certificate execution errors (*4300 - 4399*). diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 939fe535a..176495385 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -163,7 +163,7 @@ aci_output = ( -def _make_aci(current, aciname, kw): +def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. """ @@ -222,6 +222,16 @@ def _make_aci(current, aciname, kw): entry_attrs = api.Command['group_show'](kw['memberof'])['result'] a.set_target_filter('memberOf=%s' % entry_attrs['dn']) if 'filter' in kw: + # Test the filter by performing a simple search on it. The + # filter is considered valid if either it returns some entries + # or it returns no entries, otherwise we let whatever exception + # happened be raised. + if kw['filter'] in ('', None, u''): + raise errors.BadSearchFilter(info=_('empty filter')) + try: + entries = ldap.find_entries(filter=kw['filter']) + except errors.NotFound: + pass a.set_target_filter(kw['filter']) if 'type' in kw: target = _type_map[kw['type']] @@ -440,7 +450,7 @@ class aci_add(crud.Create): assert 'aciname' not in kw ldap = self.api.Backend.ldap2 - newaci = _make_aci(None, aciname, kw) + newaci = _make_aci(ldap, None, aciname, kw) (dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci']) @@ -544,7 +554,7 @@ class aci_mod(crud.Update): # _make_aci is what is run in aci_add and validates the input. # Do this before we delete the existing ACI. - newaci = _make_aci(None, aciname, newkw) + newaci = _make_aci(ldap, None, aciname, newkw) if aci.isequal(newaci): raise errors.EmptyModlist() @@ -821,7 +831,7 @@ class aci_rename(crud.Update): # _make_aci is what is run in aci_add and validates the input. # Do this before we delete the existing ACI. - newaci = _make_aci(None, kw['newname'], newkw) + newaci = _make_aci(ldap, None, kw['newname'], newkw) self.api.Command['aci_del'](aciname) |