Bug 1108237

Summary: [RFE] Enhance input validation for filters in access control
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:12:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 976382, 1153292    
Bug Blocks:    

Description Martin Kosek 2014-06-11 14:59:04 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/902

Delegation and permissions take LDAP filter as an argument. It is currently not validated. This ticket call for addition of the validation logic.
Comment 1 Martin Kosek 2014-06-11 15:23:33 UTC 
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Comment 3 Namita Soman 2015-01-26 22:49:25 UTC 
Verified using ipa-server-4.1.0-16.el7.x86_64

Using valid filter:
# ipa permission-add testperm1 --right=write --type=user --attrs=sn --filter="(cn=testgroup)"
----------------------------
Added permission "testperm1"
----------------------------
  Permission name: testperm1
  Granted rights: write
  Effective attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=testrelm,dc=test
  Extra target filter: (cn=testgroup)
  Type: user


Using invalid filter:
# ipa permission-add testperm2 --right=write --type=user --attrs=sn --filter="testgroup"
ipa: ERROR: invalid 'filter': must be enclosed in parentheses


# ipa permission-add testperm2 --right=write --type=user --attrs=sn --filter="(testgroup)"
ipa: ERROR: invalid 'ipapermtargetfilter': Bad search filter
Comment 5 errata-xmlrpc 2015-03-05 10:12:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html