[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
abartlet at samba.org
Thu Sep 24 08:38:36 UTC 2015
On Thu, 2015-09-24 at 08:46 +0100, Rowland Penny wrote:
> It would seem that by allowing ',' & '=' in the 'CN' you are also
> to allow it in the 'sAMAccountName', where according to microsoft it
> isn't allowed.
Very interesting. It seems we have two bugs, because those checks
belong in the samldb layer, not in upgrade.py (except as a more helpful
wrapper). Sadly such checks are not currently preformed. Would you
like to make a patch?
Regardless we should not put user data directly into LDB DNs or filters
without escaping, here or anywhere else (and fixing it here helps set
the pattern for code copied elsewhere in Samba, which happens a lot).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba