Changeset - 8076de6f78af
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 9 years ago 2016-11-15 22:53:41
madski@unity3d.com
auth: prevent LDAP query language injection of usernames

This could cause odd LDAP queries that could fail but couldn't give access
without a valid user query and credentials. It thus had no security
implications.
1 file changed with 4 insertions and 2 deletions:
kallithea/lib/auth_modules/auth_ldap.py
4
2
0 comments (0 inline, 0 general)
kallithea/lib/auth_modules/auth_ldap.py
Show inline comments
 
@@ -32,24 +32,25 @@ import traceback
 
from kallithea.lib import auth_modules
 
from kallithea.lib.compat import hybrid_property
 
from kallithea.lib.utils2 import safe_unicode, safe_str
 
from kallithea.lib.exceptions import (
 
    LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
 
)
 
from kallithea.model.db import User
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 
try:

			




	
	
	
		
 
    import ldap

			




	
	
	
		
 
    import ldap.filter

			




	
	
	
		
 
except ImportError:

			




	
	
	
		
 
    # means that python-ldap is not installed

			




	
	
	
		
 
    ldap = None

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class AuthLdap(object):

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',

			




	
	
	
		
 
                 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,

			




	
	
	
		
 
                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

			




	
	
	
		
 
                 search_scope='SUBTREE', attr_login='uid'):

			




	
	
	
		
 
        if ldap is None:

			




	
	
		
 
@@ -115,26 +116,27 @@ class AuthLdap(object):

			




	
	
	
		
 
                server.protocol = ldap.VERSION2

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                server.protocol = ldap.VERSION3

			




	
	
	
		
 

			




	
	
	
		
 
            if self.TLS_KIND == 'START_TLS':

			




	
	
	
		
 
                server.start_tls_s()

			




	
	
	
		
 

			




	
	
	
		
 
            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

			




	
	
	
		
 
                log.debug('Trying simple_bind with password and given DN: %s',

			




	
	
	
		
 
                          self.LDAP_BIND_DN)

			




	
	
	
		
 
                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

			




	
	
	
		
 

			




	
	
	
		
 
            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,

			




	
	
	
		
 
                                        username)

			




	
	
	
		
 
            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,

			




	
	
	
		
 
                                        ldap.filter.escape_filter_chars(self.attr_login),

			




	
	
	
		
 
                                        ldap.filter.escape_filter_chars(username))

			




	
	
	
		
 
            log.debug("Authenticating %r filter %s at %s", self.BASE_DN,

			




	
	
	
		
 
                      filter_, self.LDAP_SERVER)

			




	
	
	
		
 
            lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,

			




	
	
	
		
 
                                           filter_)

			




	
	
	
		
 

			




	
	
	
		
 
            if not lobjects:

			




	
	
	
		
 
                raise ldap.NO_SUCH_OBJECT()

			




	
	
	
		
 

			




	
	
	
		
 
            for (dn, _attrs) in lobjects:

			




	
	
	
		
 
                if dn is None:

			




	
	
	
		
 
                    continue

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.