Ticket History #7296: issues in handling special characters in KDC ldap plugin code

# Fri Aug 24 20:51:37 2012 Jim Shi <hanmao_shi@apple.com> - Ticket created

From:	Jim Shi <hanmao_shi@apple.com>
Subject:	issues in handling special characters in KDC ldap plugin code
Date:	Fri, 24 Aug 2012 11:05:20 -0700
To:	krb5-bugs@mit.edu

Download (untitled) / with headers
text/plain 945B

Hi, In the process of migrating file based kdc to kdc with ldap backend, We found two issues in handing of special characters in the kdc ldap plugin code. We have kdc version krb5.1.10.3. We believe the same problem exists in the previous versions as well.

Issue 1.
When persisting a principal record to ldap backend, in the file "ldap_principal2.c" with procedure:
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
in two seperated places, it should apply 'ldap_filter_correct' on 'user' to escape special characters in ldap search. But it did not.

See attached ldap_principal2.c.patch for the fix.

Issue 2.
We need escape a few more special characters in the file "ldap_realm.c", subroutine:
char *
ldap_filter_correct (char *in)

See the attached ldap_realm.c.patch, I add four more characters to escape: '+', '#', ';', ',' .

Thanks for your attention.

Download ldap_principal2.c.patch
application/octet-stream 992B

Message body not shown because it is not plain text.

Download ldap_realm.c.patch
application/octet-stream 701B

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 10B

Jim Shi

# Mon Aug 27 00:06:11 2012 Jim Shi <hanmao_shi@apple.com> - Correspondence added

From:	Jim Shi <hanmao_shi@apple.com>
Subject:	Re: [krbdev.mit.edu #7296] AutoReply: issues in handling special characters in KDC ldap plugin code
Date:	Sun, 26 Aug 2012 21:06:11 -0700
To:	rt@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 99B

Here is new patch for fixing the issues. Please ignore the two patches in my previous email.

Jim

Download patch1.txt
text/plain 3.5KiB

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 725B

On Aug 24, 2012, at 5:51 PM, krb5 wrote:

Show quoted text

>
> Greetings,
>
> This message has been automatically generated in response to the
> creation of a trouble ticket regarding:
> "issues in handling special characters in KDC ldap plugin code",
> a summary of which appears below.
>
> There is no need to reply to this message right now. Your ticket has been
> assigned an ID of [krbdev.mit.edu #7296].
>
> Please include the string:
>
> [krbdev.mit.edu #7296]
>
> in the subject line of all future correspondence about this issue. To do so,
> you may reply to this message.
>
> Thank you,
>
>
> -------------------------------------------------------------------------
>
>
> Jim Shi
>

# Sat Nov 17 00:48:51 2012 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 1.1KiB

More work on this issue is required. Some notes from my work so far:

* Bug #1: krb5_ldap_put_principal() is not encoding the unparsed
principal name for use as a DN, so putting a principal with DN-special
characters tends to fail.

* Bug #2: krb5_ldap_name_to_policydn() uses ldap_filter_correct() to
quote special characters. But the special characters for a filter
expression are not the same as the special characters for a DN.

* The patch here corrects bug #1 and tries to correct bug #2 by adding
some of the special DN characters to ldap_filter_correct(). But it
doesn't get all of them.

* If ldap_filter_correct() is amended to quote all of the special
characters for DNs, iteration over policies and principals still
produces incorrect results. For instance, a policy named "<test*>",
encoded to "\\3ctest\\2a\\3e" by our code for use as a DN, comes back as
"\\3Ctest*\\3E" in iteration. The iteration code is using
ldap_get_values() to extract the cn of the policy entry. I have not yet
determined why the LDAP code represents the string that way or how best
to work around it (maybe using ldap_get_values_len?)

# Sat Nov 17 15:41:46 2012 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 190B

If this is pulled up to 1.11 (which is reasonable), either
c3064fcc2ca98d563e4a10dfc4143c74f308a551 needs to be pulled up as well,
or the kdbtest.c and t_kdb.py changes need to be omitted.

# Sat Nov 17 15:44:18 2012 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Sat Nov 17 15:44:18 2012 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Sat Nov 17 15:44:18 2012 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 1KiB

Fix quoting issues in LDAP KDB module

Modify ldap_filter_correct() to quote special characters for DN
strings as well as filters, since it is already used to quote a DN
string in krb5_ldap_name_to_policydn() and there's no harm in
over-quoting. In krb5_ldap_put_principal(), quote the unparsed
principal name for use in DNs we choose. In
krb5_ldap_create_password_policy(), use the policy name for the CN of
the policy entry instead of the (possibly quoted) first element of the
DN.

Adapted from a patch by Jim Shi <hanmao_shi@apple.com>.

https://github.com/krb5/krb5/commit/85898e8f1c9e4f5bff70e1ff810519363b262eb4
Author: Greg Hudson <ghudson@mit.edu>
Commit: 85898e8f1c9e4f5bff70e1ff810519363b262eb4
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 18 ++++--
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 16 +----
src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 77 ++++----------------
src/tests/kdbtest.c | 34 +++++----
src/tests/t_kdb.py | 2 -
5 files changed, 48 insertions(+), 99 deletions(-)

# Fri Oct 11 13:37:51 2013 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Oct 11 13:37:51 2013 tlyu (Taylor Yu) - Version_Fixed 1.12 added