- Fix nested group member filter sanitization for RFC2307bis

- Put translated tool manpages into the sssd-tools subpackage
2011-02-01 08:40:52 -05:00 · 2011-02-01 08:40:52 -05:00 · d12cd5dd26
commit d12cd5dd26
parent 749bf2d662
2 changed files with 99 additions and 5 deletions
--- a/0001-Sanitize-search-filters-for-nested-group-lookups.patch
+++ b/0001-Sanitize-search-filters-for-nested-group-lookups.patch
@ -0,0 +1,73 @@
 From 979943195da209bdc28efd5e90a19f888f4b88ed Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Mon, 31 Jan 2011 13:00:56 -0500
 Subject: [PATCH] Sanitize search filters for nested group lookups
 ---
 src/providers/ldap/sdap_async_accounts.c |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)
 diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
 index 648f9a734eca60401c07d2b0d0fa432751c9ab73..5b6d3d74ac1496fe6a4266c327d0111e12e24b64 100644
 --- a/src/providers/ldap/sdap_async_accounts.c
 +++ b/src/providers/ldap/sdap_async_accounts.c
@@ -3409,6 +3409,7 @@ errno_t save_rfc2307bis_user_memberships(
 {
     errno_t ret, tret;
     char *member_dn;
 +    char *sanitized_dn;
     char *filter;
     const char **attrs;
     size_t reply_count, i;
@@ -3447,12 +3448,18 @@ errno_t save_rfc2307bis_user_memberships(
         ret = ENOMEM;
         goto error;
     }
 +    ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
 +    if (ret != EOK) {
 +        goto error;
 +    }
 +    talloc_free(member_dn);
 -    filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn);
 +    filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
     if (!filter) {
         ret = ENOMEM;
         goto error;
     }
 +    talloc_free(sanitized_dn);
     ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom,
                               filter, attrs, &reply_count, &replies);
@@ -3874,6 +3881,7 @@ static errno_t rfc2307bis_nested_groups_update_sysdb(
     const char *name;
     bool in_transaction = false;
     char *member_dn;
 +    char *sanitized_dn;
     char *filter;
     const char **attrs;
     size_t reply_count, i;
@@ -3918,12 +3926,18 @@ static errno_t rfc2307bis_nested_groups_update_sysdb(
         goto error;
     }
 -    filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn);
 +    ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
 +    if (ret != EOK) {
 +        goto error;
 +    }
 +    talloc_free(member_dn);
 +
 +    filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
     if (!filter) {
         ret = ENOMEM;
         goto error;
     }
 -    talloc_free(member_dn);
 +    talloc_free(sanitized_dn);
     ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom,
                               filter, attrs,
 -- 
 1.7.3.5
--- a/sssd.spec
+++ b/sssd.spec
@ -5,7 +5,7 @@
 Name: sssd
 Version: 1.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 ### Patches ###
 Patch0001: 0001-Sanitize-search-filters-for-nested-group-lookups.patch
 ### Dependencies ###
@ -73,6 +74,7 @@ BuildRequires: bind-utils
 BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: nscd
 BuildRequires: gettext-devel
 %description
 Provides a set of daemons to manage access to remote directories and
@ -106,6 +108,10 @@ use with ldap_default_authtok_type = obfuscated_password.
 %prep
 %setup -q
 autoreconf -ivf
 %patch0001 -p1
 %build
 %configure \
    --with-db-path=%{dbpath} \
@ -167,6 +173,20 @@ do
    echo %{python_sitelib}/`basename $file` >> sssd.lang
 done
 touch sssd_tools.lang
 for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
 do
    lang=`echo $man | cut -c 1-2`
    case `basename $man` in
        sss_*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
        ;;
        *)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
    esac
 done
 %clean
 rm -rf $RPM_BUILD_ROOT
@ -200,10 +220,7 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/pysss.so
 %{python_sitelib}/*.py*
-%lang(cs)       %{_mandir}/cs/man[58]/*
+%files client -f sssd_tools.lang
 %lang(uk)       %{_mandir}/uk/man[58]/*
 %files client
 %defattr(-,root,root,-)
 %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
 /%{_lib}/libnss_sss.so.2
@ -253,6 +270,10 @@ fi
 %postun client -p /sbin/ldconfig
 %changelog
 * Tue Feb 01 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-3
 - Fix nested group member filter sanitization for RFC2307bis
 - Put translated tool manpages into the sssd-tools subpackage
 * Thu Jan 27 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-2
 - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during
 - rpmbuild