From adb6802b1b4dec30f19c3bf76089b6bc60ac0454 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 1 Aug 2016 09:55:58 +0200 Subject: [PATCH] cert: do not crash on invalid data in cert-find https://fedorahosted.org/freeipa/ticket/6150 Reviewed-By: Martin Basti Reviewed-By: Pavel Vomacka --- ipaserver/plugins/cert.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 47dccf15a4010f2766642aedd2cc16e0a1eb1dd4..b8df074a186ca91daa8e8f5e725724ea7bc5a663 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -32,7 +32,7 @@ import six from ipalib import Command, Str, Int, Flag from ipalib import api -from ipalib import errors +from ipalib import errors, messages from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext @@ -994,7 +994,15 @@ class cert_find(Search, CertMethod): ) def _get_cert_key(self, cert): - nss_cert = x509.load_certificate(cert, x509.DER) + try: + nss_cert = x509.load_certificate(cert, x509.DER) + except NSPRError as e: + message = messages.SearchResultTruncated( + reason=_("failed to load certificate: %s") % e, + ) + self.add_message(message) + + raise ValueError("failed to load certificate") return (DN(unicode(nss_cert.issuer)), nss_cert.serial_number) @@ -1017,7 +1025,10 @@ class cert_find(Search, CertMethod): except KeyError: return result, False, False - key = self._get_cert_key(cert) + try: + key = self._get_cert_key(cert) + except ValueError: + return result, True, True result[key] = self._get_cert_obj(cert, all, raw, pkey_only) @@ -1132,12 +1143,21 @@ class cert_find(Search, CertMethod): entries = [] truncated = False else: + try: + ldap.handle_truncated_result(truncated) + except errors.LimitsExceeded as e: + self.add_message(messages.SearchResultTruncated(reason=e)) + truncated = bool(truncated) for entry in entries: for attr in ('usercertificate', 'usercertificate;binary'): for cert in entry.get(attr, []): - key = self._get_cert_key(cert) + try: + key = self._get_cert_key(cert) + except ValueError: + truncated = True + continue try: obj = result[key] -- 2.7.4