From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 30 Jun 2009 00:19:19 +0000 (+1000)
Subject: s4:dsdb Explain the parsing steps for userPrincipalName cracknames calls
X-Git-Tag: talloc-2.0.0~868
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db89b42c3b813fd4ae059f9cc51291eaf5356602;p=thirdparty%2Fsamba.git

s4:dsdb Explain the parsing steps for userPrincipalName cracknames calls
---

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index d31311bd1dc..119dd92355f 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -560,6 +560,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 			return WERR_NOMEM;
 		}
 
+		/* Ensure we reject compleate junk first */
 		ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 		if (ret) {
 			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
@@ -568,6 +569,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 		
 		domain_filter = NULL;
 		
+		/* By getting the unparsed name here, we ensure the escaping is correct (and trust the client less) */
 		ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
 		if (ret) {
 			krb5_free_principal(smb_krb5_context->krb5_context, principal);
@@ -575,6 +577,8 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 		}
 
 		krb5_free_principal(smb_krb5_context->krb5_context, principal);
+
+		/* The ldb_binary_encode_string() here avoid LDAP filter injection attacks */
 		result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))", 
 						ldb_binary_encode_string(mem_ctx, unparsed_name));