Blame SOURCES/0005-Issue-51086-Improve-dscreate-instance-name-validatio.patch

a26cad
From 9710c327b3034d7a9d112306961c9cec98083df5 Mon Sep 17 00:00:00 2001
a26cad
From: Simon Pichugin <simon.pichugin@gmail.com>
a26cad
Date: Mon, 18 May 2020 22:33:45 +0200
a26cad
Subject: [PATCH 05/12] Issue 51086 - Improve dscreate instance name validation
a26cad
a26cad
Bug Description: When creating an instance using dscreate, it doesn't enforce
a26cad
max name length. The ldapi socket name contains name of the instance. If it's
a26cad
too long, we can hit limits, and the file name will be truncated. Also, it
a26cad
doesn't sanitize the instance name, it's possible to create an instance with
a26cad
non-ascii symbols in its name.
a26cad
a26cad
Fix Description: Add more checks to 'dscreate from-file' installation.
a26cad
Add a limitation for nsslapd-ldapifilepath string lenght because it is
a26cad
limited by sizeof((*ports_info.i_listenaddr)->local.path)) it is copied to.
a26cad
a26cad
https://pagure.io/389-ds-base/issue/51086
a26cad
a26cad
Reviewed by: firstyear, mreynolds (Thanks!)
a26cad
---
a26cad
 ldap/servers/slapd/libglobs.c       | 12 ++++++++++++
a26cad
 src/cockpit/389-console/src/ds.jsx  |  8 ++++++--
a26cad
 src/lib389/lib389/instance/setup.py |  9 +++++++++
a26cad
 3 files changed, 27 insertions(+), 2 deletions(-)
a26cad
a26cad
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
a26cad
index 0d3d9a924..fbf90d92d 100644
a26cad
--- a/ldap/servers/slapd/libglobs.c
a26cad
+++ b/ldap/servers/slapd/libglobs.c
a26cad
@@ -2390,11 +2390,23 @@ config_set_ldapi_filename(const char *attrname, char *value, char *errorbuf, int
a26cad
 {
a26cad
     int retVal = LDAP_SUCCESS;
a26cad
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
a26cad
+    /*
a26cad
+     * LDAPI file path length is limited by sizeof((*ports_info.i_listenaddr)->local.path))
a26cad
+     * which is set in main.c inside of "#if defined(ENABLE_LDAPI)" block
a26cad
+     * ports_info.i_listenaddr is sizeof(PRNetAddr) and our required sizes is 8 bytes less
a26cad
+     */
a26cad
+    size_t result_size = sizeof(PRNetAddr) - 8;
a26cad
 
a26cad
     if (config_value_is_null(attrname, value, errorbuf, 0)) {
a26cad
         return LDAP_OPERATIONS_ERROR;
a26cad
     }
a26cad
 
a26cad
+    if (strlen(value) >= result_size) {
a26cad
+        slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: \"%s\" is invalid, its length must be less than %d",
a26cad
+                              attrname, value, result_size);
a26cad
+        return LDAP_OPERATIONS_ERROR;
a26cad
+    }
a26cad
+
a26cad
     if (apply) {
a26cad
         CFG_LOCK_WRITE(slapdFrontendConfig);
a26cad
 
a26cad
diff --git a/src/cockpit/389-console/src/ds.jsx b/src/cockpit/389-console/src/ds.jsx
a26cad
index 90d9e5abd..53aa5cb79 100644
a26cad
--- a/src/cockpit/389-console/src/ds.jsx
a26cad
+++ b/src/cockpit/389-console/src/ds.jsx
a26cad
@@ -793,10 +793,14 @@ class CreateInstanceModal extends React.Component {
a26cad
             return;
a26cad
         }
a26cad
         newServerId = newServerId.replace(/^slapd-/i, ""); // strip "slapd-"
a26cad
-        if (newServerId.length > 128) {
a26cad
+        if (newServerId === "admin") {
a26cad
+            addNotification("warning", "Instance Name 'admin' is reserved, please choose a different name");
a26cad
+            return;
a26cad
+        }
a26cad
+        if (newServerId.length > 80) {
a26cad
             addNotification(
a26cad
                 "warning",
a26cad
-                "Instance name is too long, it must not exceed 128 characters"
a26cad
+                "Instance name is too long, it must not exceed 80 characters"
a26cad
             );
a26cad
             return;
a26cad
         }
a26cad
diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
a26cad
index 803992275..f5fc5495d 100644
a26cad
--- a/src/lib389/lib389/instance/setup.py
a26cad
+++ b/src/lib389/lib389/instance/setup.py
a26cad
@@ -567,6 +567,15 @@ class SetupDs(object):
a26cad
 
a26cad
         # We need to know the prefix before we can do the instance checks
a26cad
         assert_c(slapd['instance_name'] is not None, "Configuration instance_name in section [slapd] not found")
a26cad
+        assert_c(len(slapd['instance_name']) <= 80, "Server identifier should not be longer than 80 symbols")
a26cad
+        assert_c(all(ord(c) < 128 for c in slapd['instance_name']), "Server identifier can not contain non ascii characters")
a26cad
+        assert_c(' ' not in slapd['instance_name'], "Server identifier can not contain a space")
a26cad
+        assert_c(slapd['instance_name'] != 'admin', "Server identifier \"admin\" is reserved, please choose a different identifier")
a26cad
+
a26cad
+        # Check that valid characters are used
a26cad
+        safe = re.compile(r'^[#%:\w@_-]+$').search
a26cad
+        assert_c(bool(safe(slapd['instance_name'])), "Server identifier has invalid characters, please choose a different value")
a26cad
+
a26cad
         # Check if the instance exists or not.
a26cad
         # Should I move this import? I think this prevents some recursion
a26cad
         from lib389 import DirSrv
a26cad
-- 
a26cad
2.26.2
a26cad