Commits

Zhang Huangbin committed 1345362

Fixed SECURITY issue:
Normal user can login and update their own profile, includes mail quota.
Thanks Wesley MOUEDINE ASSABY <wesley _at_ aise.re> for the report.

  • Participants
  • Parent commits 7c65d77

Comments (0)

Files changed (2)

           Note: SSHA512 requires Dovecot-2.0 (and later), Python-2.5 (or
           later).
 
+    * Fixed:
+        - SECURITY ISSUE: Normal user can login and update their own profile,
+          includes mail quota.
+          Thanks Wesley MOUEDINE ASSABY <wesley _at_ aise.re> for the report.
+
     * Updated translations:
         + Update Czech (cs_CZ). Thanks Roman Pudil <roman _at_ webhosting.fm>.
 

libs/ldaplib/auth.py

 
 import web
 import ldap
-import ldap.filter
+from ldap.dn import escape_dn_chars
 
 
 # Used for user auth.
 def Auth(uri, dn, password, session=web.config.get('_session')):
     try:
-        dn = ldap.filter.escape_filter_chars(web.safestr(dn.strip()))
+        dn = escape_dn_chars(web.safestr(dn.strip()))
         password = password.strip()
 
         # Detect STARTTLS support.
                         ')'
 
                 # Check whether this user is a site wide global admin.
-                qr = conn.search_s(dn, ldap.SCOPE_BASE, filter, ['objectClass', 'domainGlobalAdmin'])
+                qr = conn.search_s(
+                    dn,
+                    ldap.SCOPE_BASE,
+                    filter,
+                    ['objectClass', 'domainGlobalAdmin', 'enabledService'])
+
                 if not qr:
                     raise ldap.INVALID_CREDENTIALS
 
                     session['domainGlobalAdmin'] = True
 
                 if 'mailUser' in entry.get('objectClass'):
+                    if 'domainadmin' in entry.get('enabledService', []):
+                        return False
                     session['isMailUser'] = True
 
                 conn.unbind_s()