[Freeipa-devel] [freeipa PR#4014][opened] [Py3] Fix get_trusted_domain_object_from_sid()

Wed, 11 Dec 2019 02:37:31 -0800 

   URL: https://github.com/freeipa/freeipa/pull/4014
Author: tiran
 Title: #4014: [Py3] Fix get_trusted_domain_object_from_sid()
Action: opened

PR body:
"""
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.

Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4014/head:pr4014
git checkout pr4014

From e0a6a6fff610275db55500d1d8c28172c6272459 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 11 Dec 2019 11:33:13 +0100
Subject: [PATCH] [Py3] Fix get_trusted_domain_object_from_sid()

DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.

Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/dcerpc.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 017522956a..4c9fa5281d 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -491,9 +491,9 @@ def get_trusted_domain_object_from_sid(self, sid):
         # If unsuccessful, search AD DC LDAP
         logger.debug("Searching AD DC LDAP")
 
-        escaped_sid = escape_filter_chars(
-            security.dom_sid(sid).__ndr_pack__(),
-            2  # 2 means every character needs to be escaped
+        # escape_filter_chars(sid_bytes, 2) but for bytes
+        escaped_sid = "".join(
+            "\\%02x" % b for b in ndr_pack(security.dom_sid(sid))
         )
 
         attrs = ['sAMAccountName']

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to