|
 |
5873fa |
From 9710c327b3034d7a9d112306961c9cec98083df5 Mon Sep 17 00:00:00 2001
|
|
|
5873fa |
From: Simon Pichugin <simon.pichugin@gmail.com>
|
|
|
5873fa |
Date: Mon, 18 May 2020 22:33:45 +0200
|
|
|
5873fa |
Subject: [PATCH 05/12] Issue 51086 - Improve dscreate instance name validation
|
|
|
5873fa |
|
|
|
5873fa |
Bug Description: When creating an instance using dscreate, it doesn't enforce
|
|
|
5873fa |
max name length. The ldapi socket name contains name of the instance. If it's
|
|
|
5873fa |
too long, we can hit limits, and the file name will be truncated. Also, it
|
|
|
5873fa |
doesn't sanitize the instance name, it's possible to create an instance with
|
|
|
5873fa |
non-ascii symbols in its name.
|
|
|
5873fa |
|
|
|
5873fa |
Fix Description: Add more checks to 'dscreate from-file' installation.
|
|
|
5873fa |
Add a limitation for nsslapd-ldapifilepath string lenght because it is
|
|
|
5873fa |
limited by sizeof((*ports_info.i_listenaddr)->local.path)) it is copied to.
|
|
|
5873fa |
|
|
|
5873fa |
https://pagure.io/389-ds-base/issue/51086
|
|
|
5873fa |
|
|
|
5873fa |
Reviewed by: firstyear, mreynolds (Thanks!)
|
|
|
5873fa |
---
|
|
|
5873fa |
ldap/servers/slapd/libglobs.c | 12 ++++++++++++
|
|
|
5873fa |
src/cockpit/389-console/src/ds.jsx | 8 ++++++--
|
|
|
5873fa |
src/lib389/lib389/instance/setup.py | 9 +++++++++
|
|
|
5873fa |
3 files changed, 27 insertions(+), 2 deletions(-)
|
|
|
5873fa |
|
|
|
5873fa |
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
|
|
|
5873fa |
index 0d3d9a924..fbf90d92d 100644
|
|
|
5873fa |
--- a/ldap/servers/slapd/libglobs.c
|
|
|
5873fa |
+++ b/ldap/servers/slapd/libglobs.c
|
|
|
5873fa |
@@ -2390,11 +2390,23 @@ config_set_ldapi_filename(const char *attrname, char *value, char *errorbuf, int
|
|
|
5873fa |
{
|
|
|
5873fa |
int retVal = LDAP_SUCCESS;
|
|
|
5873fa |
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
|
|
|
5873fa |
+ /*
|
|
|
5873fa |
+ * LDAPI file path length is limited by sizeof((*ports_info.i_listenaddr)->local.path))
|
|
|
5873fa |
+ * which is set in main.c inside of "#if defined(ENABLE_LDAPI)" block
|
|
|
5873fa |
+ * ports_info.i_listenaddr is sizeof(PRNetAddr) and our required sizes is 8 bytes less
|
|
|
5873fa |
+ */
|
|
|
5873fa |
+ size_t result_size = sizeof(PRNetAddr) - 8;
|
|
|
5873fa |
|
|
|
5873fa |
if (config_value_is_null(attrname, value, errorbuf, 0)) {
|
|
|
5873fa |
return LDAP_OPERATIONS_ERROR;
|
|
|
5873fa |
}
|
|
|
5873fa |
|
|
|
5873fa |
+ if (strlen(value) >= result_size) {
|
|
|
5873fa |
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: \"%s\" is invalid, its length must be less than %d",
|
|
|
5873fa |
+ attrname, value, result_size);
|
|
|
5873fa |
+ return LDAP_OPERATIONS_ERROR;
|
|
|
5873fa |
+ }
|
|
|
5873fa |
+
|
|
|
5873fa |
if (apply) {
|
|
|
5873fa |
CFG_LOCK_WRITE(slapdFrontendConfig);
|
|
|
5873fa |
|
|
|
5873fa |
diff --git a/src/cockpit/389-console/src/ds.jsx b/src/cockpit/389-console/src/ds.jsx
|
|
|
5873fa |
index 90d9e5abd..53aa5cb79 100644
|
|
|
5873fa |
--- a/src/cockpit/389-console/src/ds.jsx
|
|
|
5873fa |
+++ b/src/cockpit/389-console/src/ds.jsx
|
|
|
5873fa |
@@ -793,10 +793,14 @@ class CreateInstanceModal extends React.Component {
|
|
|
5873fa |
return;
|
|
|
5873fa |
}
|
|
|
5873fa |
newServerId = newServerId.replace(/^slapd-/i, ""); // strip "slapd-"
|
|
|
5873fa |
- if (newServerId.length > 128) {
|
|
|
5873fa |
+ if (newServerId === "admin") {
|
|
|
5873fa |
+ addNotification("warning", "Instance Name 'admin' is reserved, please choose a different name");
|
|
|
5873fa |
+ return;
|
|
|
5873fa |
+ }
|
|
|
5873fa |
+ if (newServerId.length > 80) {
|
|
|
5873fa |
addNotification(
|
|
|
5873fa |
"warning",
|
|
|
5873fa |
- "Instance name is too long, it must not exceed 128 characters"
|
|
|
5873fa |
+ "Instance name is too long, it must not exceed 80 characters"
|
|
|
5873fa |
);
|
|
|
5873fa |
return;
|
|
|
5873fa |
}
|
|
|
5873fa |
diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
|
|
|
5873fa |
index 803992275..f5fc5495d 100644
|
|
|
5873fa |
--- a/src/lib389/lib389/instance/setup.py
|
|
|
5873fa |
+++ b/src/lib389/lib389/instance/setup.py
|
|
|
5873fa |
@@ -567,6 +567,15 @@ class SetupDs(object):
|
|
|
5873fa |
|
|
|
5873fa |
# We need to know the prefix before we can do the instance checks
|
|
|
5873fa |
assert_c(slapd['instance_name'] is not None, "Configuration instance_name in section [slapd] not found")
|
|
|
5873fa |
+ assert_c(len(slapd['instance_name']) <= 80, "Server identifier should not be longer than 80 symbols")
|
|
|
5873fa |
+ assert_c(all(ord(c) < 128 for c in slapd['instance_name']), "Server identifier can not contain non ascii characters")
|
|
|
5873fa |
+ assert_c(' ' not in slapd['instance_name'], "Server identifier can not contain a space")
|
|
|
5873fa |
+ assert_c(slapd['instance_name'] != 'admin', "Server identifier \"admin\" is reserved, please choose a different identifier")
|
|
|
5873fa |
+
|
|
|
5873fa |
+ # Check that valid characters are used
|
|
|
5873fa |
+ safe = re.compile(r'^[#%:\w@_-]+$').search
|
|
|
5873fa |
+ assert_c(bool(safe(slapd['instance_name'])), "Server identifier has invalid characters, please choose a different value")
|
|
|
5873fa |
+
|
|
|
5873fa |
# Check if the instance exists or not.
|
|
|
5873fa |
# Should I move this import? I think this prevents some recursion
|
|
|
5873fa |
from lib389 import DirSrv
|
|
|
5873fa |
--
|
|
|
5873fa |
2.26.2
|
|
|
5873fa |
|