IPA: sanitize name in override search filter

Resolves: https://pagure.io/SSSD/sssd/issue/3545 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2017-10-16 11:47:46 +0200
committer: Lukas Slebodnik <lslebodn@redhat.com> 2017-10-18 12:35:59 +0200
commit: c2dec0dc740ba426f26563563c0aea3a38f3c3c1 (patch)
tree: 75e0d082ebfa53aca7de03d0a92b9c5ec445b10d
parent: da7a3c347dd630085839afa7ec245ee9d36f6ce2 (diff)
download: sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.tar.gz
sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.tar.xz
sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.zip
1 files changed, 13 insertions, 5 deletions
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 5b6fcbc9b..2a918bdc8 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -39,6 +39,7 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx,
     char *cert_filter;
     int ret;
     char *shortname;
+    char *sanitized_name;
 
     switch (ar->filter_type) {
     case BE_FILTER_NAME:
@@ -48,20 +49,27 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx,
             return ret;
         }
 
+        ret = sss_filter_sanitize(mem_ctx, shortname, &sanitized_name);
+        talloc_free(shortname);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+            return ret;
+        }
+
         switch ((ar->entry_type & BE_REQ_TYPE_MASK)) {
         case BE_REQ_USER:
         case BE_REQ_INITGROUPS:
             filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
                          ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name,
                          ipa_opts->override_map[IPA_AT_OVERRIDE_USER_NAME].name,
-                         shortname);
+                         sanitized_name);
             break;
 
          case BE_REQ_GROUP:
             filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
                         ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name,
                         ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_NAME].name,
-                        shortname);
+                        sanitized_name);
             break;
 
          case BE_REQ_USER_AND_GROUP:
@@ -70,15 +78,15 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx,
                         ipa_opts->override_map[IPA_AT_OVERRIDE_USER_NAME].name,
                         ar->filter_value,
                         ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_NAME].name,
-                        shortname);
+                        sanitized_name);
             break;
         default:
             DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected entry type [%d] for name filter.\n",
                                        ar->entry_type);
-            talloc_free(shortname);
+            talloc_free(sanitized_name);
             return EINVAL;
         }
-        talloc_free(shortname);
+        talloc_free(sanitized_name);
         break;
 
     case BE_FILTER_IDNUM:
author	Sumit Bose <sbose@redhat.com>	2017-10-16 11:47:46 +0200
committer	Lukas Slebodnik <lslebodn@redhat.com>	2017-10-18 12:35:59 +0200
commit	c2dec0dc740ba426f26563563c0aea3a38f3c3c1 (patch)
tree	75e0d082ebfa53aca7de03d0a92b9c5ec445b10d
parent	da7a3c347dd630085839afa7ec245ee9d36f6ce2 (diff)
download	sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.tar.gz sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.tar.xz sssd-c2dec0dc740ba426f26563563c0aea3a38f3c3c1.zip