From fc28fae03fd1510d571a5011ef9d712c7778e578 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 20 Jan 2011 16:35:34 -0500 Subject: Add some basic filter validation to permissions and disallow empty filters Try a query with a filter to see if it is at least legal. This doesn't guarantee that the filter is at all otherwise sane. ticket 808 --- ipalib/errors.py | 16 ++++++++++++++++ ipalib/plugins/aci.py | 18 ++++++++++++++---- ipaserver/plugins/ldap2.py | 2 ++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 225019041..faa9e8119 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1347,6 +1347,22 @@ class InvalidSyntax(ExecutionError): format = _('%(attr)s: Invalid syntax.') +class BadSearchFilter(ExecutionError): + """ + **4209** Raised when an invalid LDAP search filter is used + + For example: + + >>> raise BadSearchFilter(info='') + Traceback (most recent call last): + ... + BadSearchFilter: Bad search filter + """ + + errno = 4209 + format = _('Bad search filter %(info)s') + + class CertificateError(ExecutionError): """ **4300** Base class for Certificate execution errors (*4300 - 4399*). diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 939fe535a..176495385 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -163,7 +163,7 @@ aci_output = ( -def _make_aci(current, aciname, kw): +def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. """ @@ -222,6 +222,16 @@ def _make_aci(current, aciname, kw): entry_attrs = api.Command['group_show'](kw['memberof'])['result'] a.set_target_filter('memberOf=%s' % entry_attrs['dn']) if 'filter' in kw: + # Test the filter by performing a simple search on it. The + # filter is considered valid if either it returns some entries + # or it returns no entries, otherwise we let whatever exception + # happened be raised. + if kw['filter'] in ('', None, u''): + raise errors.BadSearchFilter(info=_('empty filter')) + try: + entries = ldap.find_entries(filter=kw['filter']) + except errors.NotFound: + pass a.set_target_filter(kw['filter']) if 'type' in kw: target = _type_map[kw['type']] @@ -440,7 +450,7 @@ class aci_add(crud.Create): assert 'aciname' not in kw ldap = self.api.Backend.ldap2 - newaci = _make_aci(None, aciname, kw) + newaci = _make_aci(ldap, None, aciname, kw) (dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci']) @@ -544,7 +554,7 @@ class aci_mod(crud.Update): # _make_aci is what is run in aci_add and validates the input. # Do this before we delete the existing ACI. - newaci = _make_aci(None, aciname, newkw) + newaci = _make_aci(ldap, None, aciname, newkw) if aci.isequal(newaci): raise errors.EmptyModlist() @@ -821,7 +831,7 @@ class aci_rename(crud.Update): # _make_aci is what is run in aci_add and validates the input. # Do this before we delete the existing ACI. - newaci = _make_aci(None, kw['newname'], newkw) + newaci = _make_aci(ldap, None, kw['newname'], newkw) self.api.Command['aci_del'](aciname) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index e2c83d9b2..86ea3f882 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -108,6 +108,8 @@ def _handle_errors(e, **kw): raise errors.LimitsExceeded() except _ldap.NOT_ALLOWED_ON_RDN: raise errors.NotAllowedOnRDN(attr=info) + except _ldap.FILTER_ERROR: + raise errors.BadSearchFilter(info=info) except _ldap.SUCCESS: pass except _ldap.LDAPError, e: -- cgit