git.samba.org
/
samba.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
0b2b9fd
)
s4:dsdb Explain the parsing steps for userPrincipalName cracknames calls
author
Andrew Bartlett
<abartlet@samba.org>
Tue, 30 Jun 2009 00:19:19 +0000
(10:19 +1000)
committer
Andrew Bartlett
<abartlet@samba.org>
Tue, 30 Jun 2009 00:19:19 +0000
(10:19 +1000)
source4/dsdb/samdb/cracknames.c
patch
|
blob
|
history
diff --git
a/source4/dsdb/samdb/cracknames.c
b/source4/dsdb/samdb/cracknames.c
index d31311bd1dc03a978adc2605d04d6c2e0d76a5a6..119dd92355fac225ec36fddb47ddbc5b026b7586 100644
(file)
--- a/
source4/dsdb/samdb/cracknames.c
+++ b/
source4/dsdb/samdb/cracknames.c
@@
-560,6
+560,7
@@
WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
return WERR_NOMEM;
}
return WERR_NOMEM;
}
+ /* Ensure we reject compleate junk first */
ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
if (ret) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
if (ret) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
@@
-568,6
+569,7
@@
WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
domain_filter = NULL;
domain_filter = NULL;
+ /* By getting the unparsed name here, we ensure the escaping is correct (and trust the client less) */
ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
if (ret) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
if (ret) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
@@
-575,6
+577,8
@@
WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
}
krb5_free_principal(smb_krb5_context->krb5_context, principal);
}
krb5_free_principal(smb_krb5_context->krb5_context, principal);
+
+ /* The ldb_binary_encode_string() here avoid LDAP filter injection attacks */
result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))",
ldb_binary_encode_string(mem_ctx, unparsed_name));
result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))",
ldb_binary_encode_string(mem_ctx, unparsed_name));