Hide Forgot
Description of problem: ipa netgroup-add-member allows invalid characters like ?, | $, etc. Version-Release number of selected component (if applicable): 389-ds-base-1.2.10.1-1.el6.x86_64 389-ds-base-libs-1.2.10.1-1.el6.x86_64 ipa-server-2.2.0-102.20120220T2339zgit7fe095c.el6.x86_64 How reproducible: always Steps to Reproduce: 1. <setup ipa server> 2. kinit admin 3. ipa netgroup-add testng1 --desc=desc1 4. ipa netgroup-add-member testng1 --hosts=badhost? 5. ipa netgroup-add-member testng1 --hosts=badhost\!\@\#\$\%\^\&\*\(\) Actual results: # ipa netgroup-add testng1 --desc=desc1 ------------------------ Added netgroup "testng1" ------------------------ Netgroup name: testng1 Description: desc1 NIS domain name: testrelm.com IPA unique ID: 40d66da2-5f0a-11e1-9c9c-5254008638a1 # ipa netgroup-add-member --hosts=badhost? Netgroup name: testng1 Description: desc1 NIS domain name: testrelm.com External host: badhost? ------------------------- Number of members added 1 ------------------------- # ipa netgroup-add-member testng1 --hosts=badhost\!\@\#\$\%\^\&\*\(\) Netgroup name: testng1 Description: desc1 NIS domain name: testrelm.com External host: badhost?, badhost!@#$%^&*() ------------------------- Number of members added 1 ------------------------- Expected results: Should error on invalid characters for external hosts Additional info: Also affects netgroup-mod: # ipa netgroup-mod testng1 --addattr=externalhost=anotherbadhost? --------------------------- Modified netgroup "testng1" --------------------------- Netgroup name: testng1 Description: desc1 NIS domain name: testrelm.com External host: badhost?, badhost!@#$%^&*(), anotherbadhost? # ipa netgroup-mod testng1 --addattr=externalhost=anotherbadhost\!\@\#\$\%\^\&\*\(\) --------------------------- Modified netgroup "testng1" --------------------------- Netgroup name: testng1 Description: desc1 NIS domain name: testrelm.com External host: badhost?, badhost!@#$%^&*(), anotherbadhost?, anotherbadhost!@#$%^&*() /var/log/httpd/error_log entries: [Fri Feb 24 11:09:35 2012] [error] ipa: INFO: admin: netgroup_add_member(u'testng1', all=False, raw=False, version=u'2.26', host=(u'badhost?',)): SUCCESS [Fri Feb 24 11:09:54 2012] [error] ipa: INFO: admin: netgroup_add_member(u'testng1', all=False, raw=False, version=u'2.26', host=(u'badhost!@#$%^&*()',)): SUCCESS [Fri Feb 24 11:13:17 2012] [error] ipa: INFO: admin: netgroup_mod(u'testng1', addattr=(u'externalhost=anotherbadhost?',), rights=False, all=False, raw=False, version=u'2.26'): SUCCESS [Fri Feb 24 11:13:24 2012] [error] ipa: INFO: admin: netgroup_mod(u'testng1', addattr=(u'externalhost=anotherbadhost!@#$%^&*()',), rights=False, all=False, raw=False, version=u'2.26'): SUCCESS
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2447
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/5cfee2338d548035151926c5c235f3426fca0499 ipa-2-2: https://fedorahosted.org/freeipa/changeset/df0e73a5dbfb4ad09a74c930f4d7e6d0721e5c9b
From a quick check, I can see that it appears fixed for the --hosts option but, should it be for --setattr/--addattr? Doesn't appear to be: # ipa netgroup-add test1 --desc=asdf ---------------------- Added netgroup "test1" ---------------------- Netgroup name: test1 Description: asdf NIS domain name: testrelm.com IPA unique ID: 9a65ec84-7ccf-11e1-9e50-525400a8d770 # ipa netgroup-mod test1 --setattr=externalhost=anotherbadhost? ------------------------- Modified netgroup "test1" ------------------------- Netgroup name: test1 Description: asdf NIS domain name: testrelm.com External host: anotherbadhost? # ipa netgroup-mod test1 --addattr=externalhost=anotherbadhost\!\@\#$\%\^\&\*\(\) ------------------------- Modified netgroup "test1" ------------------------- Netgroup name: test1 Description: asdf NIS domain name: testrelm.com External host: anotherbadhost?, anotherbadhost!@#$%^&*()
setting bug back to assigned
I'm not sure if this is related yet but, I'm also now seeing an internal error if --hosts= is empty or space: # ipa netgroup-add netgroup1 --desc=netgroup1 -------------------------- Added netgroup "netgroup1" -------------------------- Netgroup name: netgroup1 Description: netgroup1 NIS domain name: testrelm.com IPA unique ID: c295bb74-7cd1-11e1-9dc4-525400a8d770 # ipa netgroup-add-member netgroup1 --hosts= ipa: ERROR: an internal error has occurred # ipa netgroup-add-member netgroup1 --hosts="" ipa: ERROR: an internal error has occurred # ipa netgroup-add-member netgroup1 --hosts=" " ipa: ERROR: an internal error has occurred Entry from /var/log/httpd/error_log: [Mon Apr 02 09:40:32 2012] [error] ipa: ERROR: non-public: TypeError: 'NoneType' object is not iterable [Mon Apr 02 09:40:32 2012] [error] Traceback (most recent call last): [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 315, in wsgi_execute [Mon Apr 02 09:40:32 2012] [error] result = self.Command[name](*args, **options) [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__ [Mon Apr 02 09:40:32 2012] [error] ret = self.run(*args, **options) [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 716, in run [Mon Apr 02 09:40:32 2012] [error] return self.execute(*args, **options) [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1509, in execute [Mon Apr 02 09:40:32 2012] [error] dn = callback(ldap, dn, member_dns, failed, *keys, **options) [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py", line 266, in pre_callback [Mon Apr 02 09:40:32 2012] [error] return add_external_pre_callback('host', ldap, dn, keys, options) [Mon Apr 02 09:40:32 2012] [error] File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 334, in add_external_pre_callback [Mon Apr 02 09:40:32 2012] [error] for value in options[membertype]: [Mon Apr 02 09:40:32 2012] [error] TypeError: 'NoneType' object is not iterable [Mon Apr 02 09:40:32 2012] [error] ipa: INFO: admin: netgroup_add_member(u'netgroup1', all=False, raw=False, version=u'2.32', host=None): TypeError
That was with the 2.2.0-7 version.
Good catch, I will reopen the upstream ticket. This case should be fixed.
I have opened a separate bug to cover the setattr/addattr issue/question here. That can be handled there instead of here. That is bug 813325. There is still the question of the internal errors on empty --hosts= options.
Empty hosts crash is fixed upstream: master: https://fedorahosted.org/freeipa/changeset/6f7224f252775c01e13c281a83e555b627834ffd ipa-2-2: https://fedorahosted.org/freeipa/changeset/dc0132addaf2a26daaf5f3b52dffdcb1502a9c03
Verified. Version :: ipa-server-2.2.0-10.el6.x86_64 Automated Test Results :: # netgroup_bz_797256 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: netgroup_bz_797256: ipa netgroup-add-member --hosts should not allow invalid characters :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ------------------------------------- Added netgroup "netgroup_bz_797256_1" ------------------------------------- Netgroup name: netgroup_bz_797256_1 Description: desc1 NIS domain name: testrelm.com IPA unique ID: 62eb79b6-8a78-11e1-a1bb-5254009625e8 :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_797256_1 --desc=desc1' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_797256_1 --hosts=badhost? > /tmp/errormsg.out 2>&1' :: [ PASS ] :: BZ 797256 not found for ipa netgroup-add-member --hosts with ? --------------------------------------- Deleted netgroup "netgroup_bz_797256_1" --------------------------------------- :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_797256_1' ------------------------------------- Added netgroup "netgroup_bz_797256_2" ------------------------------------- Netgroup name: netgroup_bz_797256_2 Description: desc2 NIS domain name: testrelm.com IPA unique ID: 69a5455c-8a78-11e1-819d-5254009625e8 :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_797256_2 --desc=desc2' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_797256_2 --hosts=badhost\!\@\#$\%\^\&\*\(\) > /tmp/errormsg.out 2>&1' :: [ PASS ] :: BZ 797256 not found for ipa netgroup-add-member --hosts with other invalid characters --------------------------------------- Deleted netgroup "netgroup_bz_797256_2" --------------------------------------- :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_797256_2' Manual Test Results :: # ipa netgroup-add test2 --desc=test2 ---------------------- Added netgroup "test2" ---------------------- Netgroup name: test2 Description: test2 NIS domain name: testrelm.com IPA unique ID: dd3d1f80-8a78-11e1-a25b-5254009625e8 # ipa netgroup-add-member test2 --hosts=badhost? ipa: ERROR: invalid 'host': only letters, numbers, _, and - are allowed. - must not be the DNS label character # ipa netgroup-add-member test2 --hosts=badhost\!\@\#$\%\^\&\*\(\) ipa: ERROR: invalid 'host': only letters, numbers, _, and - are allowed. - must not be the DNS label character # ipa netgroup-add-member test2 --hosts= Netgroup name: test2 Description: test2 NIS domain name: testrelm.com ------------------------- Number of members added 0 ------------------------- # ipa netgroup-add-member test2 --hosts="" Netgroup name: test2 Description: test2 NIS domain name: testrelm.com ------------------------- Number of members added 0 ------------------------- # ipa netgroup-add-member test2 --hosts=" " Netgroup name: test2 Description: test2 NIS domain name: testrelm.com ------------------------- Number of members added 0 -------------------------
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html