diff options
| author | Florence Blanc-Renaud <frenaud@redhat.com> | 2016-05-27 08:19:39 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-06-14 09:26:15 +0200 |
| commit | 2c7ec27ad94a5a369c7d8a45dcef66a18479900b (patch) | |
| tree | b991b4a73557d27aaf223c79662cc9c45a9add92 /ipaserver/plugins/batch.py | |
| parent | 9f48c396497bd3e07045838d23afbb0d051dc136 (diff) | |
| download | freeipa-2c7ec27ad94a5a369c7d8a45dcef66a18479900b.tar.gz freeipa-2c7ec27ad94a5a369c7d8a45dcef66a18479900b.tar.xz freeipa-2c7ec27ad94a5a369c7d8a45dcef66a18479900b.zip | |
batch command can be used to trigger internal errors on server
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)
https://fedorahosted.org/freeipa/ticket/5810
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat (limited to 'ipaserver/plugins/batch.py')
| -rw-r--r-- | ipaserver/plugins/batch.py | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py index 84a650575..aebdc2f72 100644 --- a/ipaserver/plugins/batch.py +++ b/ipaserver/plugins/batch.py @@ -90,6 +90,12 @@ class batch(Command): def execute(self, methods=None, **options): results = [] for arg in (methods or []): + # As take_args = Any, no check is done before + # Need to make sure that methods contain dict objects + if not isinstance(arg, dict): + raise errors.ConversionError( + name='methods', + error=_(u'must contain dict objects')) params = dict() name = None try: @@ -100,9 +106,21 @@ class batch(Command): name = arg['method'] if name not in self.Command: raise errors.CommandError(name=name) - a, kw = arg['params'] - newkw = dict((str(k), v) for k, v in kw.items()) - params = api.Command[name].args_options_2_params(*a, **newkw) + + # If params are not formated as a tuple(list, dict) + # the following lines will raise an exception + # that triggers an internal server error + # Raise a ConversionError instead to report the issue + # to the client + try: + a, kw = arg['params'] + newkw = dict((str(k), v) for k, v in kw.items()) + params = api.Command[name].args_options_2_params( + *a, **newkw) + except (AttributeError, ValueError, TypeError): + raise errors.ConversionError( + name='params', + error=_(u'must contain a tuple (list, dict)')) newkw.setdefault('version', options['version']) result = api.Command[name](*a, **newkw) |