mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Check for invalid bas64 attributes.

Browse Source
This commit is contained in:
Todd C. Miller 2018-05-20 08:09:25 -06:00
parent a04cb53e37
commit 1cd472c051
7 changed files with 129 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST
View File

@ -433,6 +433,8 @@ plugins/sudoers/regress/cvtsudoers/test25.out.ok
plugins/sudoers/regress/cvtsudoers/test25.sh plugins/sudoers/regress/cvtsudoers/test25.sh
plugins/sudoers/regress/cvtsudoers/test26.out.ok plugins/sudoers/regress/cvtsudoers/test26.out.ok
plugins/sudoers/regress/cvtsudoers/test26.sh plugins/sudoers/regress/cvtsudoers/test26.sh
plugins/sudoers/regress/cvtsudoers/test27.out.ok
plugins/sudoers/regress/cvtsudoers/test27.sh
plugins/sudoers/regress/cvtsudoers/test3.out.ok plugins/sudoers/regress/cvtsudoers/test3.out.ok
plugins/sudoers/regress/cvtsudoers/test3.sh plugins/sudoers/regress/cvtsudoers/test3.sh
plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.out.ok

90
plugins/sudoers/cvtsudoers_ldif.c
View File

@ -743,9 +743,23 @@ ldif_parse_attribute(char *str)
attr = str; attr = str;
if (encoded) { if (encoded) {
/* decode base64 inline and NUL-terminate */ /*
len = base64_decode(str, (unsigned char *)attr, strlen(str)); * Decode base64 inline and add NUL-terminator.
* The copy allows us to provide a useful message on error.
*/
char *copy = strdup(str);
if (copy == NULL) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
len = base64_decode(copy, (unsigned char *)attr, strlen(attr));
if (len == (size_t)-1) {
sudo_warnx(U_("ignoring invalid attribute value: %s"), copy);
free(copy);
debug_return_str(NULL);
}
attr[len] = '\0'; attr[len] = '\0';
free(copy);
} }
debug_return_str(attr); debug_return_str(attr);
@ -1254,6 +1268,11 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
/* Compare dn to base, if specified. */ /* Compare dn to base, if specified. */
if (conf->sudoers_base != NULL) { if (conf->sudoers_base != NULL) {
attr = ldif_parse_attribute(line + 3); attr = ldif_parse_attribute(line + 3);
if (attr == NULL) {
/* invalid attribute */
mismatch = true;
continue;
}
/* Skip over cn if present. */ /* Skip over cn if present. */
if (strncasecmp(attr, "cn=", 3) == 0) { if (strncasecmp(attr, "cn=", 3) == 0) {
for (attr += 3; *attr != '\0'; attr++) { for (attr += 3; *attr != '\0'; attr++) {
@ -1274,7 +1293,7 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
} }
} else if (strncmp(line, "objectClass:", 12) == 0) { } else if (strncmp(line, "objectClass:", 12) == 0) {
attr = ldif_parse_attribute(line + 12); attr = ldif_parse_attribute(line + 12);
if (strcmp(attr, "sudoRole") == 0) if (attr != NULL && strcmp(attr, "sudoRole") == 0)
in_role = true; in_role = true;
} }
@ -1285,54 +1304,69 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
/* Part of a sudoRole, parse it. */ /* Part of a sudoRole, parse it. */
if (strncmp(line, "cn:", 3) == 0) { if (strncmp(line, "cn:", 3) == 0) {
attr = ldif_parse_attribute(line + 3); attr = ldif_parse_attribute(line + 3);
free(role->cn); if (attr != NULL) {
role->cn = unquote_cn(attr); free(role->cn);
if (role->cn == NULL) { role->cn = unquote_cn(attr);
sudo_fatalx(U_("%s: %s"), __func__, if (role->cn == NULL) {
U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
} }
} else if (strncmp(line, "sudoUser:", 9) == 0) { } else if (strncmp(line, "sudoUser:", 9) == 0) {
attr = ldif_parse_attribute(line + 9); attr = ldif_parse_attribute(line + 9);
ldif_store_string(attr, role->users, true); if (attr != NULL)
ldif_store_string(attr, role->users, true);
} else if (strncmp(line, "sudoHost:", 9) == 0) { } else if (strncmp(line, "sudoHost:", 9) == 0) {
attr = ldif_parse_attribute(line + 9); attr = ldif_parse_attribute(line + 9);
ldif_store_string(attr, role->hosts, true); if (attr != NULL)
ldif_store_string(attr, role->hosts, true);
} else if (strncmp(line, "sudoRunAs:", 10) == 0) { } else if (strncmp(line, "sudoRunAs:", 10) == 0) {
attr = ldif_parse_attribute(line + 10); attr = ldif_parse_attribute(line + 10);
ldif_store_string(attr, role->runasusers, true); if (attr != NULL)
ldif_store_string(attr, role->runasusers, true);
} else if (strncmp(line, "sudoRunAsUser:", 14) == 0) { } else if (strncmp(line, "sudoRunAsUser:", 14) == 0) {
attr = ldif_parse_attribute(line + 14); attr = ldif_parse_attribute(line + 14);
ldif_store_string(attr, role->runasusers, true); if (attr != NULL)
ldif_store_string(attr, role->runasusers, true);
} else if (strncmp(line, "sudoRunAsGroup:", 15) == 0) { } else if (strncmp(line, "sudoRunAsGroup:", 15) == 0) {
attr = ldif_parse_attribute(line + 15); attr = ldif_parse_attribute(line + 15);
ldif_store_string(attr, role->runasgroups, true); if (attr != NULL)
ldif_store_string(attr, role->runasgroups, true);
} else if (strncmp(line, "sudoCommand:", 12) == 0) { } else if (strncmp(line, "sudoCommand:", 12) == 0) {
attr = ldif_parse_attribute(line + 12); attr = ldif_parse_attribute(line + 12);
ldif_store_string(attr, role->cmnds, false); if (attr != NULL)
ldif_store_string(attr, role->cmnds, false);
} else if (strncmp(line, "sudoOption:", 11) == 0) { } else if (strncmp(line, "sudoOption:", 11) == 0) {
attr = ldif_parse_attribute(line + 11); attr = ldif_parse_attribute(line + 11);
ldif_store_string(attr, role->options, false); if (attr != NULL)
ldif_store_string(attr, role->options, false);
} else if (strncmp(line, "sudoOrder:", 10) == 0) { } else if (strncmp(line, "sudoOrder:", 10) == 0) {
char *ep; char *ep;
attr = ldif_parse_attribute(line + 10); attr = ldif_parse_attribute(line + 10);
role->order = strtod(attr, &ep); if (attr != NULL) {
if (ep == attr || *ep != '\0') role->order = strtod(attr, &ep);
sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr); if (ep == attr || *ep != '\0')
sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
}
} else if (strncmp(line, "sudoNotBefore:", 14) == 0) { } else if (strncmp(line, "sudoNotBefore:", 14) == 0) {
attr = ldif_parse_attribute(line + 14); attr = ldif_parse_attribute(line + 14);
free(role->notbefore); if (attr != NULL) {
role->notbefore = strdup(attr); free(role->notbefore);
if (role->notbefore == NULL) { role->notbefore = strdup(attr);
sudo_fatalx(U_("%s: %s"), __func__, if (role->notbefore == NULL) {
U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
} }
} else if (strncmp(line, "sudoNotAfter:", 13) == 0) { } else if (strncmp(line, "sudoNotAfter:", 13) == 0) {
attr = ldif_parse_attribute(line + 13); attr = ldif_parse_attribute(line + 13);
free(role->notafter); if (attr != NULL) {
role->notafter = strdup(attr); free(role->notafter);
if (role->notafter == NULL) { role->notafter = strdup(attr);
sudo_fatalx(U_("%s: %s"), __func__, if (role->notafter == NULL) {
U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
} }
} }
} }

2
plugins/sudoers/regress/cvtsudoers/test25.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Test LDAP base filtering. # Test LDIF base64 attribute parsing
# #
exec 2>&1 exec 2>&1

19
plugins/sudoers/regress/cvtsudoers/test26.out.ok
View File

@ -1,16 +1,3 @@
dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M= cvtsudoers: ignoring invalid attribute value: bG9nX29@1dHB1dA==
objectClass: top cvtsudoers: ignoring invalid attribute value: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
objectClass: sudoRole cvtsudoers: ignoring invalid attribute value: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
cn: defaults
description: Default sudoOption's go here
sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL
sudoOrder: 1

38
plugins/sudoers/regress/cvtsudoers/test26.sh
View File

@ -1,11 +1,41 @@
#!/bin/sh #!/bin/sh
# #
# Test base64 encoding of non-safe strings # Test LDIF invalid base64 attribute parsing
# #
exec 2>&1 exec 2>&1
./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF ./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF
Defaults badpass_message="Bad password¡" # defaults, SUDOers, sudo.ws
dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption:: bG9nX29@1dHB1dA==
root ALL = ALL # root, SUDOers, sudo.ws
dn:: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoOrder: 10
# %wheel, SUDOers, sudo.ws
dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: +sudo-hosts
sudoCommand: ALL
sudoOption: !authenticate
sudoOrder: 10
EOF EOF

16
plugins/sudoers/regress/cvtsudoers/test27.out.ok Normal file
View File

@ -0,0 +1,16 @@
dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL
sudoOrder: 1

11
plugins/sudoers/regress/cvtsudoers/test27.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
#
# Test base64 encoding of non-safe strings
#
exec 2>&1
./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
Defaults badpass_message="Bad password¡"
root ALL = ALL
EOF