From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 6 Aug 2023 23:56:56 +0000 (+1200)
Subject: CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92a4df11b2dd696f5ba1c283602a6b3435d082ea;p=thirdparty%2Fsamba.git

CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
new file mode 100644
index 00000000000..9367f92e109
--- /dev/null
+++ b/selftest/knownfail.d/dirsync
@@ -0,0 +1 @@
+^samba4.ldap.dirsync.python\(.*\).__main__.SimpleDirsyncTests.test_dirsync_unicodePwd
\ No newline at end of file
diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
index e06b85bc749..2cacaf01251 100755
--- a/source4/dsdb/tests/python/dirsync.py
+++ b/source4/dsdb/tests/python/dirsync.py
@@ -742,6 +742,18 @@ class SimpleDirsyncTests(DirsyncBaseTests):
         self.assertEqual(guid2, guid)
         self.assertEqual(str(res[0].dn), "")
 
+    def test_dirsync_unicodePwd(self):
+        res = self.ldb_admin.search(self.base_dn,
+                                    attrs=["unicodePwd", "supplementalCredentials", "samAccountName"],
+                                    expression="(samAccountName=krbtgt)",
+                                    controls=["dirsync:1:0:0"])
+
+        self.assertTrue(len(res) == 1)
+        # This form ensures this is a case insensitive comparison
+        self.assertTrue("samAccountName" in res[0])
+        self.assertTrue(res[0].get("samAccountName"))
+        self.assertTrue(res[0].get("unicodePwd") is None)
+        self.assertTrue(res[0].get("supplementalCredentials") is None)
 
 if not getattr(opts, "listtests", False):
     lp = sambaopts.get_loadparm()