freeipa

Clone
Source Code
GIT

#902 [RFE] Enhance input validation for filters in access control
Closed: Fixed None Opened 14 years ago by dpal.

Closed: Fixed
Reopen Issue

Delegation and permissions take LDAP filter as an argument. It is currently not validated. This ticket call for addition of the validation logic.

What additional validation do you want? It actually does valid the filter but things that look like bad filters are actually valid LDAP filters (like cn=).

Some validation is already done but LDAP filters can be rather liberal. We may be able to add on things like there need to be both name/value when using =, things like that.

Permissions V2 feature worked on in scope of #3566 validates the filter by doing a test LDAP search with it.

This is fixed already fixed in effort for #3566:

# ipa permission-mod testgroup --filter="broken filter"
ipa: ERROR: invalid 'ipapermtargetfilter': Bad search filter
# ipa permission-mod testgroup --filter="(cn=broken filter)"
-------------------------------
Modified permission "testgroup"
-------------------------------
...

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108237

Metadata Update from @dpal:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/02
8 years ago

Log in to comment on this ticket.

Metadata
None
None
None
low
None
None
None
None
enhancement
None
None
Access control
None
0
None
None
None
None
None
Permission plugin now better enforces validity of the permission to avoid creating invalid ACI and receiving LDAP errors in permission commands.
http://www.freeipa.org/page/V4/Permissions_V2
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.