From 55ab3a9b2dcbe809dece953605ab359c5e12a139 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Thu, 19 Nov 2009 19:28:36 -0500
Subject: Correctly escape DN value.

In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
---
 server/db/sysdb_ops.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 6 deletions(-)

(limited to 'server/db')

diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 4a44f280a..da53fd3bb 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -2769,6 +2769,42 @@ int sysdb_store_user_recv(struct tevent_req *req)
 
 /* =Store-Group-(Native/Legacy)-(replaces-existing-data)================== */
 
+static char *build_dom_dn_str_escape(TALLOC_CTX *memctx, const char *template,
+                                     const char *domain, const char *name)
+{
+    char *ret;
+    int l;
+
+    l = strcspn(name, ",=\n+<>#;\\\"");
+    if (name[l] != '\0') {
+        struct ldb_val v;
+        char *tmp;
+
+        v.data = discard_const_p(uint8_t, name);
+        v.length = strlen(name);
+
+        tmp = ldb_dn_escape_value(memctx, v);
+        if (!tmp) {
+            return NULL;
+        }
+
+        ret = talloc_asprintf(memctx, template, tmp, domain);
+        talloc_zfree(tmp);
+        if (!ret) {
+            return NULL;
+        }
+
+        return ret;
+    }
+
+    ret = talloc_asprintf(memctx, template, name, domain);
+    if (!ret) {
+        return NULL;
+    }
+
+    return ret;
+}
+
 /* this function does not check that all user members are actually present */
 
 struct sysdb_store_group_state {
@@ -2873,9 +2909,9 @@ static void sysdb_store_group_check(struct tevent_req *subreq)
         for (i = 0; state->member_users && state->member_users[i]; i++) {
             char *member;
 
-            member = talloc_asprintf(state, SYSDB_TMPL_USER,
-                                     state->member_users[i],
-                                     state->domain->name);
+            member = build_dom_dn_str_escape(state, SYSDB_TMPL_USER,
+                                             state->domain->name,
+                                             state->member_users[i]);
             if (!member) {
                 DEBUG(4, ("Error: Out of memory\n"));
                 tevent_req_error(req, ENOMEM);
@@ -2896,9 +2932,9 @@ static void sysdb_store_group_check(struct tevent_req *subreq)
         for (i = 0; state->member_groups && state->member_groups[i]; i++) {
             char *member;
 
-            member = talloc_asprintf(state, SYSDB_TMPL_GROUP,
-                                     state->member_groups[i],
-                                     state->domain->name);
+            member = build_dom_dn_str_escape(state, SYSDB_TMPL_GROUP,
+                                             state->domain->name,
+                                             state->member_groups[i]);
             if (!member) {
                 DEBUG(4, ("Error: Out of memory\n"));
                 tevent_req_error(req, ENOMEM);
-- 
cgit