2180981 – sss allows extraneous @ characters prefixed to username #

Bug 2180981 - sss allows extraneous @ characters prefixed to username #

Summary: sss allows extraneous @ characters prefixed to username #

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Halman
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Duplicates (1):	2180998 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-22 18:48 UTC by Abhijit Roy
Modified:	2023-08-04 13:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-2.9.0-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 6635	None	open	sss allows extraneous @ characters prefixed to username	2023-03-24 09:43:16 UTC
Github	SSSD sssd pull 6646	None	open	util: Improve re_expression defaults	2023-03-24 09:44:44 UTC
Red Hat Issue Tracker	RHELPLAN-152813	None	None	None	2023-03-22 18:50:05 UTC
Red Hat Issue Tracker	SSSD-5772	None	None	None	2023-03-23 14:27:41 UTC

Description Abhijit Roy 2023-03-22 18:48:10 UTC

Description of problem:

As per the upstream ticket https://github.com/SSSD/sssd/issues/6635 I am opening this bz.

Solution provided by Tomáš

Default re_expressions does not use "^" so they may skip/ignore some leading character (@ and \)
Changing

#define SSS_DEFAULT_RE "(?P<name>[^@]+)@?(?P<domain>[^@]*$)"
to

#define SSS_DEFAULT_RE "^(?P<name>[^@]+)@?(?P<domain>[^@]*$)"
and similar change for SSS_IPA_AD_DEFAULT_RE will solve the issue. It will make SSSD more strict about input values.

Consider that this regular expression is used also for group names and MS Windows group name can actually include @

$ grep "SSS_DEFAULT_RE" util/util.h 
#define SSS_DEFAULT_RE "(?P<name>[^@]+)@?(?P<domain>[^@]*$)"

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alexey Tikhonov 2023-03-23 14:17:11 UTC

*** Bug 2180998 has been marked as a duplicate of this bug. ***

Comment 2 Alexey Tikhonov 2023-03-24 09:44:44 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/6646

Comment 3 Alexey Tikhonov 2023-04-14 10:14:48 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/6646

* `master`
    * b78b508b1dbdb78c8d17916472a3398d67f76bbd - responder: regexp cleanup
    * 526aea3e8cb48dbfaabb009e06236828ad903429 - util: Improve re_expression defaults

Note You need to log in before you can comment on or make changes to this bug.