From 741f0183e6dda33b7458cc1e897c0a2397c07196 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20P=C3=A9pin?= Date: Thu, 16 Mar 2017 22:43:43 +0000 Subject: [PATCH 1/7] Prevent ldap injections in autocompletion views We only allow alphanumeric characters in the query in order to avoid injections --- gestioncof/autocomplete.py | 34 ++++++++++++++++++---------------- kfet/autocomplete.py | 34 ++++++++++++++++++---------------- 2 files changed, 36 insertions(+), 32 deletions(-) diff --git a/gestioncof/autocomplete.py b/gestioncof/autocomplete.py index 1eae6920..65f62fab 100644 --- a/gestioncof/autocomplete.py +++ b/gestioncof/autocomplete.py @@ -56,22 +56,24 @@ def autocomplete(request): # Fetching data from the SPI if hasattr(settings, 'LDAP_SERVER_URL'): # Fetching - ldap_query = '(|{:s})'.format(''.join( - ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit}) - for bit in bits] - )) - with Connection(settings.LDAP_SERVER_URL) as conn: - conn.search( - 'dc=spi,dc=ens,dc=fr', ldap_query, - attributes=['uid', 'cn'] - ) - queries['clippers'] = conn.entries - # Clearing redundancies - queries['clippers'] = [ - Clipper(clipper.uid, clipper.cn) - for clipper in queries['clippers'] - if str(clipper.uid) not in usernames - ] + ldap_query = '(|{:s})'.format(''.join([ + '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=bit) + for bit in bits if bit.isalnum() + ])) + if ldap_query != "(|)": + # If none of the bits were legal, we do not perform the query + with Connection(settings.LDAP_SERVER_URL) as conn: + conn.search( + 'dc=spi,dc=ens,dc=fr', ldap_query, + attributes=['uid', 'cn'] + ) + queries['clippers'] = conn.entries + # Clearing redundancies + queries['clippers'] = [ + Clipper(clipper.uid, clipper.cn) + for clipper in queries['clippers'] + if str(clipper.uid) not in usernames + ] # Resulting data data.update(queries) diff --git a/kfet/autocomplete.py b/kfet/autocomplete.py index 64fa52cf..3b5e0ab5 100644 --- a/kfet/autocomplete.py +++ b/kfet/autocomplete.py @@ -75,22 +75,24 @@ def account_create(request): # Fetching data from the SPI if hasattr(settings, 'LDAP_SERVER_URL'): # Fetching - ldap_query = '(|{:s})'.format(''.join( - ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word) - for word in search_words] - )) - with Connection(settings.LDAP_SERVER_URL) as conn: - conn.search( - 'dc=spi,dc=ens,dc=fr', ldap_query, - attributes=['uid', 'cn'] - ) - queries['clippers'] = conn.entries - # Clearing redundancies - queries['clippers'] = [ - Clipper(clipper.uid, clipper.cn) - for clipper in queries['clippers'] - if str(clipper.uid) not in usernames - ] + ldap_query = '(|{:s})'.format(''.join([ + '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word) + for word in search_words if word.isalnum() + ])) + if ldap_query != "(|)": + # If none of the bits were legal, we do not perform the query + with Connection(settings.LDAP_SERVER_URL) as conn: + conn.search( + 'dc=spi,dc=ens,dc=fr', ldap_query, + attributes=['uid', 'cn'] + ) + queries['clippers'] = conn.entries + # Clearing redundancies + queries['clippers'] = [ + Clipper(clipper.uid, clipper.cn) + for clipper in queries['clippers'] + if str(clipper.uid) not in usernames + ] # Resulting data data.update(queries) From 55b67f38c8a4e61ddf7e51a4e851ed23e2a4204b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20P=C3=A9pin?= Date: Thu, 16 Mar 2017 23:16:56 +0000 Subject: [PATCH 2/7] =?UTF-8?q?Notice=20the=20users=20about=20the=20=CE=B1?= =?UTF-8?q?-numeric=20restriction?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a help text above the two autocompletion inputs letting the users know that non-alphanumeric characters will not be used. --- gestioncof/static/css/cof.css | 9 ++++++++- gestioncof/templates/registration.html | 5 +++-- kfet/static/kfet/css/index.css | 4 ++++ kfet/templates/kfet/account_create.html | 1 + 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/gestioncof/static/css/cof.css b/gestioncof/static/css/cof.css index 269736d0..fda55d98 100644 --- a/gestioncof/static/css/cof.css +++ b/gestioncof/static/css/cof.css @@ -800,7 +800,7 @@ input#search_autocomplete { height: 40px; padding: 10px 8px; margin: 0 auto; - margin-top: 20px; + margin-top: 0px; display: block; color: #aaa; } @@ -1119,3 +1119,10 @@ div.messages div.alert-success div.container { div.messages div.alert div.container a { color: inherit; } + +/* Help text */ + +p.help-block { + margin: 5px auto; + width: 90%; +} diff --git a/gestioncof/templates/registration.html b/gestioncof/templates/registration.html index 769808de..d6914f64 100644 --- a/gestioncof/templates/registration.html +++ b/gestioncof/templates/registration.html @@ -9,7 +9,9 @@ {% block realcontent %}

Inscription d'un nouveau membre

- +

Les mots contentant des caractères non alphanumériques seront ignorés

+