diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2019-10-15 16:28:46 +1300 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-10-24 11:45:18 +0200 |
| commit | 6957ec76a5a9bd31f487192752468f99146b3a61 (patch) | |
| tree | 4eb2d22d4a53aaa523bb5c1e67388224a2dbd025 | |
| parent | da8f00d1be85002d0c8e05573035f65398b4a894 (diff) | |
| download | samba-6957ec76a5a9bd31f487192752468f99146b3a61.tar.gz | |
CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results style attributes and dirsync
Incremental results are provided by a flag on the dirsync control, not
by changing the attribute name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | selftest/knownfail.d/dirsync | 1 | ||||
| -rwxr-xr-x | source4/dsdb/tests/python/dirsync.py | 26 |
2 files changed, 27 insertions, 0 deletions
diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync new file mode 100644 index 00000000000..bc49fe0d9bb --- /dev/null +++ b/selftest/knownfail.d/dirsync @@ -0,0 +1 @@ +^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\(
\ No newline at end of file diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py index c6a1df5ea43..e177bfbbfdc 100755 --- a/source4/dsdb/tests/python/dirsync.py +++ b/source4/dsdb/tests/python/dirsync.py @@ -28,6 +28,7 @@ from samba.tests.subunitrun import TestProgram, SubunitOptions import samba.getopt as options import base64 +import ldb from ldb import LdbError, SCOPE_BASE from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE @@ -588,6 +589,31 @@ class SimpleDirsyncTests(DirsyncBaseTests): class ExtendedDirsyncTests(SimpleDirsyncTests): + def test_dirsync_linkedattributes_range(self): + self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) + res = self.ldb_admin.search(self.base_dn, + attrs=["member;range=1-1"], + expression="(name=Administrators)", + controls=["dirsync:1:0:0"]) + + self.assertTrue(len(res) > 0) + self.assertTrue(res[0].get("member;range=1-1") is None) + self.assertTrue(res[0].get("member") is not None) + self.assertTrue(len(res[0].get("member")) > 0) + + def test_dirsync_linkedattributes_range_user(self): + self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) + try: + res = self.ldb_simple.search(self.base_dn, + attrs=["member;range=1-1"], + expression="(name=Administrators)", + controls=["dirsync:1:0:0"]) + except LdbError as e: + (num, _) = e.args + self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS) + else: + self.fail() + def test_dirsync_linkedattributes(self): flag_incr_linked = 2147483648 self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) |