From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 9 Jan 2013 22:30:38 +0000 (+1100)
Subject: dsdb: Add test for modification of two attributes, one permitted, one denied (bug... 
X-Git-Tag: ldb-1.1.15~153
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=065c0ec16259f8d57baec5dfe4e6eb9bdea0002a;p=thirdparty%2Fsamba.git

dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 8bafe0871526cd5d5e7fdbe123ab661379f64cb1)

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 15 14:03:47 CET 2013 on sn-devel-104
---

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 94bc504804f..ecda3c5db61 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -382,6 +382,21 @@ dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
 changetype: modify
 replace: url
 url: www.samba.org"""
+        try:
+            self.ldb_user.modify_ldif(ldif)
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+            self.fail()
+        # Modify on attribute you do not have rights for granted while also modifying something you do have rights for
+        ldif = """
+dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """
+changetype: modify
+replace: url
+url: www.samba.org
+replace: displayName
+displayName: test_changed"""
         try:
             self.ldb_user.modify_ldif(ldif)
         except LdbError, (num, _):