[Freeipa-devel] [PATCH] 677 don't allow search time limit of 0

Thu, 13 Jan 2011 10:16:08 -0800 

python-ldap fails gloriously if the search time limit is 0. Don't allow it.
Don't allow the time limit to be set in the API. Also add a failsafe in the ldap driver because such bad things happen if this value is 0. I think it literally spends 0 time on the request and just returns 
immediately.

ticket 752

rob

>From fd797e0f65f904cfe95b99805b6c0edabae7bfdf Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Thu, 13 Jan 2011 13:08:52 -0500
Subject: [PATCH] python-ldap fails gloriously if the search time limit is 0. Don't allow it.

Don't allow the time limit to be set in the API. Also add a failsafe
in the ldap driver because such bad things happen if this value is 0.
I think it literally spends 0 time on the request and just returns
immediately.

ticket 752
---
 ipalib/plugins/config.py   |    8 +++++++-
 ipaserver/plugins/ldap2.py |    2 ++
 2 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index cabfd76..438f663 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -68,8 +68,14 @@ from ipalib import api
 from ipalib import Bool, Int, Str, IA5Str
 from ipalib.plugins.baseldap import *
 from ipalib import _
+from ipalib.errors import ValidationError
 
 
+def validate_searchtimelimit(ugettext, limit):
+    if limit == 0:
+        raise ValidationError(name='ipasearchtimelimit', error=_('searchtimelimit must be -1 or > 1.'))
+    return None
+
 class config(LDAPObject):
     """
     IPA configuration object
@@ -110,7 +116,7 @@ class config(LDAPObject):
             label=_('Default e-mail domain'),
             doc=_('Default e-mail domain new users'),
         ),
-        Int('ipasearchtimelimit?',
+        Int('ipasearchtimelimit?', validate_searchtimelimit,
             cli_name='searchtimelimit',
             label=_('Search time limit'),
             doc=_('Max. amount of time (sec.) for a search (-1 is unlimited)'),
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 063d602..4af83e2 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -535,6 +535,8 @@ class ldap2(CrudBackend, Encoder):
                 time_limit = config.get('ipasearchtimelimit', [-1])[0]
             if size_limit is None:
                 size_limit = config.get('ipasearchrecordslimit', [0])[0]
+        if time_limit == 0:
+            time_limit = -1
         if not isinstance(size_limit, int):
             size_limit = int(size_limit)
         if not isinstance(time_limit, float):
-- 
1.7.3.4


_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to