144 lines
5.7 KiB
Diff
144 lines
5.7 KiB
Diff
From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Fri, 19 Feb 2021 12:40:56 -0500
|
|
Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when
|
|
authenticating"
|
|
|
|
This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32.
|
|
---
|
|
dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++----------------
|
|
ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +-
|
|
ldap/servers/slapd/dse.c | 7 +--
|
|
3 files changed, 13 insertions(+), 49 deletions(-)
|
|
|
|
diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
|
|
index a206bdb38..a43001ab6 100644
|
|
--- a/dirsrvtests/tests/suites/basic/basic_test.py
|
|
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
|
|
@@ -9,7 +9,7 @@
|
|
|
|
from subprocess import check_output, PIPE, run
|
|
from lib389 import DirSrv
|
|
-from lib389.idm.user import UserAccount, UserAccounts
|
|
+from lib389.idm.user import UserAccounts
|
|
import pytest
|
|
from lib389.tasks import *
|
|
from lib389.utils import *
|
|
@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st):
|
|
"""Test the failing bind does not return information about the entry
|
|
|
|
:id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
|
|
+
|
|
:customerscenario: True
|
|
+
|
|
:setup: Standalone instance
|
|
+
|
|
:steps:
|
|
- 1: bind as non existing entry
|
|
- 2: check that bind info does not report 'No such entry'
|
|
+ 1: bind as non existing entry
|
|
+ 2: check that bind info does not report 'No such entry'
|
|
+
|
|
:expectedresults:
|
|
- 1: pass
|
|
- 2: pass
|
|
+ 1: pass
|
|
+ 2: pass
|
|
"""
|
|
|
|
topology_st.standalone.restart()
|
|
@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st):
|
|
topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
|
|
|
|
|
|
-def test_bind_entry_missing_passwd(topology_st):
|
|
- """
|
|
- :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
|
|
- :setup: Standalone Instance
|
|
- :steps:
|
|
- 1. Bind as database entry that does not have userpassword set
|
|
- 2. Bind as database entry that does not exist
|
|
- 1. Bind as cn=config entry that does not have userpassword set
|
|
- 2. Bind as cn=config entry that does not exist
|
|
- :expectedresults:
|
|
- 1. Fails with error 49
|
|
- 2. Fails with error 49
|
|
- 3. Fails with error 49
|
|
- 4. Fails with error 49
|
|
- """
|
|
- user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
|
|
- with pytest.raises(ldap.INVALID_CREDENTIALS):
|
|
- # Bind as the suffix root entry which does not have a userpassword
|
|
- user.bind("some_password")
|
|
-
|
|
- user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
|
|
- with pytest.raises(ldap.INVALID_CREDENTIALS):
|
|
- # Bind as the entry which does not exist
|
|
- user.bind("some_password")
|
|
-
|
|
- # Test cn=config since it has its own code path
|
|
- user = UserAccount(topology_st.standalone, "cn=config")
|
|
- with pytest.raises(ldap.INVALID_CREDENTIALS):
|
|
- # Bind as the config entry which does not have a userpassword
|
|
- user.bind("some_password")
|
|
-
|
|
- user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
|
|
- with pytest.raises(ldap.INVALID_CREDENTIALS):
|
|
- # Bind as an entry under cn=config that does not exist
|
|
- user.bind("some_password")
|
|
-
|
|
-
|
|
@pytest.mark.bz1044135
|
|
@pytest.mark.ds47319
|
|
def test_connection_buffer_size(topology_st):
|
|
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
|
|
index 38d115a32..fa450ecd5 100644
|
|
--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
|
|
+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
|
|
@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
|
|
case LDAP_AUTH_SIMPLE: {
|
|
Slapi_Value cv;
|
|
if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
|
|
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
|
|
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
|
|
+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
|
|
+ NULL, 0, NULL);
|
|
CACHE_RETURN(&inst->inst_cache, &e);
|
|
rc = SLAPI_BIND_FAIL;
|
|
goto bail;
|
|
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
|
|
index f2741aeb4..f5572d78d 100644
|
|
--- a/ldap/servers/slapd/dse.c
|
|
+++ b/ldap/servers/slapd/dse.c
|
|
@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
|
|
|
|
ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
|
|
if (ec == NULL) {
|
|
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
|
|
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
|
|
+ slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
|
|
return (SLAPI_BIND_FAIL);
|
|
}
|
|
|
|
@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
|
|
case LDAP_AUTH_SIMPLE: {
|
|
Slapi_Value cv;
|
|
if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
|
|
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
|
|
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
|
|
+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
|
|
slapi_entry_free(ec);
|
|
return SLAPI_BIND_FAIL;
|
|
}
|
|
@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
|
|
|
|
slapi_value_init_berval(&cv, cred);
|
|
if (slapi_pw_find_sv(bvals, &cv) != 0) {
|
|
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
|
|
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
|
|
slapi_entry_free(ec);
|
|
value_done(&cv);
|
|
--
|
|
2.26.2
|
|
|