From 944295de4cf4eeba75d4f6bd476a4f59743e1813 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 5 Oct 2017 11:07:38 +0200

Subject: [PATCH 197/197] sysdb: sanitize search filter input

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

This patch sanitizes the input for sysdb searches by UPN/email, SID and

UUID.

This security issue was assigned CVE-2017-12173

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 1f2662c8f97c9c0fa250055d4b6750abfc6d0835)

---

 src/db/sysdb_ops.c      | 43 +++++++++++++++++++++++++++++++++++--------

 src/tests/sysdb-tests.c |  7 +++++++

 2 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c

index 7ca6575ce75dab7805236c9f48dbf28a2f3946d2..408af9f389edbe0aff0fb8b96f49f0c4463a620a 100644

--- a/src/db/sysdb_ops.c

+++ b/src/db/sysdb_ops.c

@@ -601,6 +601,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,

     int ret;

     const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,

                                 SYSDB_USER_EMAIL, NULL };

+    char *sanitized;

     tmp_ctx = talloc_new(NULL);

     if (tmp_ctx == NULL) {

@@ -608,6 +609,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,

         goto done;

     }

+    ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");

+        goto done;

+    }

+

     if (domain_scope == true) {

         base_dn = sysdb_user_base_dn(tmp_ctx, domain);

     } else {

@@ -620,7 +627,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,

     ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,

                      base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,

-                     SYSDB_PWUPN_FILTER, upn, upn, upn);

+                     SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized);

     if (ret != EOK) {

         ret = sysdb_error_to_errno(ret);

         goto done;

@@ -4757,17 +4764,31 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,

                                                bool expect_only_one_result,

                                                struct ldb_result **_res)

 {

-    char *filter;

+    char *filter = NULL;

     errno_t ret;

+    char *sanitized = NULL;

-    filter = talloc_asprintf(NULL, filter_tmpl, str);

+    if (str == NULL) {

+        return EINVAL;

+    }

+

+    ret = sss_filter_sanitize(NULL, str, &sanitized);

+    if (ret != EOK || sanitized == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");

+        goto done;

+    }

+

+    filter = talloc_asprintf(NULL, filter_tmpl, sanitized);

     if (filter == NULL) {

-        return ENOMEM;

+        ret = ENOMEM;

+        goto done;

     }

     ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs,

                                    expect_only_one_result, _res);

+done:

+    talloc_free(sanitized);

     talloc_free(filter);

     return ret;

 }

@@ -4856,7 +4877,8 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,

                                     struct ldb_result **res)

 {

     int ret;

-    char *user_filter;

+    char *user_filter = NULL;

+    char *filter = NULL;

     ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,

                                          NULL, NULL, &user_filter);

@@ -4865,10 +4887,15 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,

         return ret;

     }

-    ret = sysdb_search_object_by_str_attr(mem_ctx, domain,

-                                          SYSDB_USER_CERT_FILTER,

-                                          user_filter, attrs, false, res);

+    filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter);

     talloc_free(user_filter);

+    if (filter == NULL) {

+        return ENOMEM;

+    }

+

+    ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, false, res);

+

+    talloc_free(filter);

     return ret;

 }

diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c

index 6ec82ce4ca5c4f918bc9f3144c21f33b270ea47e..588eb9ef02033ec061b4187964fe562da84e86c8 100644

--- a/src/tests/sysdb-tests.c

+++ b/src/tests/sysdb-tests.c

@@ -6444,6 +6444,13 @@ START_TEST(test_upn_basic)

     fail_unless(strcmp(str, UPN_PRINC) == 0,

                 "Expected [%s], got [%s].", UPN_PRINC, str);

+    /* check if input is sanitized */

+    ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false,

+                                   "abc@def.ghi)(name="UPN_USER_NAME")(abc=xyz",

+                                   NULL, &msg;;

+    fail_unless(ret == ENOENT,

+                "sysdb_search_user_by_upn failed with un-sanitized input.");

+

     talloc_free(test_ctx);

 }

 END_TEST

-- 

2.13.5