Correctly validate shadow requests and responses

author: Arthur de Jong <arthur@arthurdejong.org> 2019-09-08 21:51:09 +0200
committer: Arthur de Jong <arthur@arthurdejong.org> 2019-09-08 22:52:30 +0200
commit: 0252b050cc2e8859bf53622561d42108f7e721e8 (patch)
tree: aa3adde78fe1c4aa26f91c2bc1ee7cc8c42b1bcf
parent: cd887ef577f3913d5919ee32f448b02cd5c614ad (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/pynslcd/shadow.py b/pynslcd/shadow.py
index 0f5441c..59e1af6 100644
--- a/pynslcd/shadow.py
+++ b/pynslcd/shadow.py
@@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 # 02110-1301 USA
 
+import logging
+
 import cache
 import cfg
 import common
@@ -112,8 +114,11 @@ class ShadowRequest(common.Request):
             flag = 0
         # return results
         for name in names:
-            yield (name, passwd, lastchangedate, mindays, maxdays, warndays,
-                   inactdays, expiredate, flag)
+            if not common.is_valid_name(name):
+                logging.warning('%s: %s: denied by validnames option', dn, attmap['uid'])
+            else:
+                yield (name, passwd, lastchangedate, mindays, maxdays, warndays,
+                       inactdays, expiredate, flag)
 
 
 class ShadowByNameRequest(ShadowRequest):
@@ -121,7 +126,9 @@ class ShadowByNameRequest(ShadowRequest):
     action = constants.NSLCD_ACTION_SHADOW_BYNAME
 
     def read_parameters(self, fp):
-        return dict(uid=fp.read_string())
+        name = fp.read_string()
+        common.validate_name(name)
+        return dict(uid=name)
 
 
 class ShadowAllRequest(ShadowRequest):
author	Arthur de Jong <arthur@arthurdejong.org>	2019-09-08 21:51:09 +0200
committer	Arthur de Jong <arthur@arthurdejong.org>	2019-09-08 22:52:30 +0200
commit	0252b050cc2e8859bf53622561d42108f7e721e8 (patch)
tree	aa3adde78fe1c4aa26f91c2bc1ee7cc8c42b1bcf
parent	cd887ef577f3913d5919ee32f448b02cd5c614ad (diff)