The Samba-Bugzilla – Attachment 14279 Details for
Bug 13374
[SECURITY] CVE-2018-1140 ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
reduce the 4.8 patchset to a smaller security subset
dns-ldb-input-validation-4-8-reviewed.patch (text/plain), 20.69 KB, created by
Douglas Bagnall
on 2018-07-05 04:45:31 UTC
(
hide
)
Description:
reduce the 4.8 patchset to a smaller security subset
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2018-07-05 04:45:31 UTC
Size:
20.69 KB
patch
obsolete
>From 838ce8e7aac37d40c3d0c655d1199f1669403636 Mon Sep 17 00:00:00 2001 >From: Kai Blin <kai@samba.org> >Date: Fri, 8 Jun 2018 18:20:16 +0200 >Subject: [PATCH 1/6] CVE-2018-1140 dns: Add a test to trigger the LDB > casefolding issue on invalid chars > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466 > >Signed-off-by: Kai Blin <kai@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > python/samba/tests/dns_invalid.py | 87 +++++++++++++++++++++++++++++++ > selftest/knownfail.d/dns | 3 ++ > source4/selftest/tests.py | 3 ++ > 3 files changed, 93 insertions(+) > create mode 100644 python/samba/tests/dns_invalid.py > >diff --git a/python/samba/tests/dns_invalid.py b/python/samba/tests/dns_invalid.py >new file mode 100644 >index 00000000000..9f87cd56084 >--- /dev/null >+++ b/python/samba/tests/dns_invalid.py >@@ -0,0 +1,87 @@ >+# Unix SMB/CIFS implementation. >+# Copyright (C) Kai Blin <kai@samba.org> 2018 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import os >+import sys >+import struct >+import random >+import socket >+import samba.ndr as ndr >+from samba import credentials, param >+from samba.dcerpc import dns, dnsp, dnsserver >+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record >+from samba.tests.subunitrun import SubunitOptions, TestProgram >+from samba import werror, WERRORError >+from samba.tests.dns_base import DNSTest >+import samba.getopt as options >+import optparse >+ >+parser = optparse.OptionParser("dns_invalid.py <server ip> [options]") >+sambaopts = options.SambaOptions(parser) >+parser.add_option_group(sambaopts) >+ >+# This timeout only has relevance when testing against Windows >+# Format errors tend to return patchy responses, so a timeout is needed. >+parser.add_option("--timeout", type="int", dest="timeout", >+ help="Specify timeout for DNS requests") >+ >+# use command line creds if available >+credopts = options.CredentialsOptions(parser) >+parser.add_option_group(credopts) >+subunitopts = SubunitOptions(parser) >+parser.add_option_group(subunitopts) >+ >+opts, args = parser.parse_args() >+ >+lp = sambaopts.get_loadparm() >+creds = credopts.get_credentials(lp) >+ >+timeout = opts.timeout >+ >+if len(args) < 1: >+ parser.print_usage() >+ sys.exit(1) >+ >+server_ip = args[0] >+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE) >+ >+ >+class TestBrokenQueries(DNSTest): >+ def setUp(self): >+ super(TestBrokenQueries, self).setUp() >+ global server, server_ip, lp, creds, timeout >+ self.server_ip = server_ip >+ self.lp = lp >+ self.creds = creds >+ self.timeout = timeout >+ >+ def test_invalid_chars_in_name(self): >+ """Check the server refuses invalid characters in the query name""" >+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) >+ questions = [] >+ >+ name = "\x10\x11\x05\xa8.%s" % self.get_dns_domain() >+ q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) >+ print "asking for ", q.name >+ questions.append(q) >+ >+ self.finish_name_packet(p, questions) >+ (response, response_packet) = self.dns_transaction_udp(p, host=server_ip) >+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_NXDOMAIN) >+ >+ >+TestProgram(module=__name__, opts=subunitopts) >diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns >index cb3003240ea..140ded24fa0 100644 >--- a/selftest/knownfail.d/dns >+++ b/selftest/knownfail.d/dns >@@ -45,3 +45,6 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) > > # The SOA override should not pass against the RODC, it must not overstamp > samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) >+ >+# This still needs to be fixed in LDB >+samba.tests.dns_invalid.__main__.TestBrokenQueries.test_invalid_chars_in_name\(ad_dc:local\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 226617f3b6a..f59c8041401 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -376,6 +376,9 @@ plantestsuite_loadlist("samba.tests.dns_forwarder", "fl2003dc:local", [python, o > > plantestsuite_loadlist("samba.tests.dns_tkey", "fl2008r2dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_tkey.py"), '$SERVER', '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) > plantestsuite_loadlist("samba.tests.dns_wildcard", "ad_dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_wildcard.py"), '$SERVER', '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >+ >+plantestsuite_loadlist("samba.tests.dns_invalid", "ad_dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_invalid.py"), '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >+ > for t in smbtorture4_testsuites("dns_internal."): > plansmbtorture4testsuite(t, "ad_dc_ntvfs:local", '//$SERVER/whavever') > >-- >2.17.1 > > >From 06a4ee6d24406008c734d55ad1bd69c931ba353a Mon Sep 17 00:00:00 2001 >From: Andrej Gessel <Andrej.Gessel@janztec.com> >Date: Fri, 6 Apr 2018 18:18:33 +0200 >Subject: [PATCH 2/6] CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in > ltdb_index_dn_attr() > >Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/ldb_tdb/ldb_index.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c >index 40baeea5c2b..682469396ce 100644 >--- a/lib/ldb/ldb_tdb/ldb_index.c >+++ b/lib/ldb/ldb_tdb/ldb_index.c >@@ -1405,6 +1405,15 @@ static int ltdb_index_dn_attr(struct ldb_module *module, > > /* work out the index key from the parent DN */ > val.data = (uint8_t *)((uintptr_t)ldb_dn_get_casefold(dn)); >+ if (val.data == NULL) { >+ const char *dn_str = ldb_dn_get_linearized(dn); >+ ldb_asprintf_errstring(ldb_module_get_ctx(module), >+ __location__ >+ ": Failed to get casefold DN " >+ "from: %s", >+ dn_str); >+ return LDB_ERR_OPERATIONS_ERROR; >+ } > val.length = strlen((char *)val.data); > key = ltdb_index_key(ldb, ltdb, attr, &val, NULL); > if (!key) { >-- >2.17.1 > > >From 2c93a8733cbeca1186b5472facf6db70bf31edb5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 May 2018 14:50:50 +1200 >Subject: [PATCH 3/6] CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() > failure in ldb_sqlite > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c >index f94dc993904..0f5abf87547 100644 >--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c >+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c >@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module, > const char *cdn = ldb_dn_get_casefold( > ldb_dn_new(mem_ctx, ldb, > (const char *)value.data)); >+ if (cdn == NULL) { >+ return NULL; >+ } > > return lsqlite3_tprintf(mem_ctx, > "SELECT eid FROM ldb_entry " >-- >2.17.1 > > >From e3368a87da6de3925a074f6c6fc9371707426110 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 May 2018 15:20:26 +1200 >Subject: [PATCH 4/6] CVE-2018-1140 ldb_tdb: Ensure the dn in > distinguishedName= is valid before use > >ldb_dn_from_ldb_val() does not validate this untrusted input, so a later >call to ldb_dn_get_casefold() can fail if the input is not valid. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/ldb_tdb/ldb_index.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c >index 682469396ce..429c8f5aa24 100644 >--- a/lib/ldb/ldb_tdb/ldb_index.c >+++ b/lib/ldb/ldb_tdb/ldb_index.c >@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module, > return LDB_SUCCESS; > } > if (ldb_attr_dn(tree->u.equality.attr) == 0) { >+ bool valid_dn = false; > struct ldb_dn *dn > = ldb_dn_from_ldb_val(list, > ldb_module_get_ctx(module), >@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module, > return LDB_SUCCESS; > } > >+ valid_dn = ldb_dn_validate(dn); >+ if (valid_dn == false) { >+ /* If we can't parse it, no match */ >+ list->dn = NULL; >+ list->count = 0; >+ return LDB_SUCCESS; >+ } >+ > /* > * Re-use the same code we use for a SCOPE_BASE > * search >-- >2.17.1 > > >From 76c11ee2bd092affa5b3864b31168e592c09e4a0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 May 2018 15:23:53 +1200 >Subject: [PATCH 5/6] CVE-2018-1140 ldb_tdb: Check for DN validity in add, > rename and search > >This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which >would otherwise fail. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/ldb_tdb/ldb_search.c | 16 ++++++++++++++++ > lib/ldb/ldb_tdb/ldb_tdb.c | 27 ++++++++++++++++++++++++++- > 2 files changed, 42 insertions(+), 1 deletion(-) > >diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c >index 02890862cf7..d14be0febd4 100644 >--- a/lib/ldb/ldb_tdb/ldb_search.c >+++ b/lib/ldb/ldb_tdb/ldb_search.c >@@ -295,6 +295,14 @@ int ltdb_search_dn1(struct ldb_module *module, struct ldb_dn *dn, struct ldb_mes > }; > TALLOC_CTX *tdb_key_ctx = NULL; > >+ bool valid_dn = ldb_dn_validate(dn); >+ if (valid_dn == false) { >+ ldb_asprintf_errstring(ldb_module_get_ctx(module), >+ "Invalid Base DN: %s", >+ ldb_dn_get_linearized(dn)); >+ return LDB_ERR_INVALID_DN_SYNTAX; >+ } >+ > if (ltdb->cache->GUID_index_attribute == NULL) { > tdb_key_ctx = talloc_new(msg); > if (!tdb_key_ctx) { >@@ -803,6 +811,14 @@ int ltdb_search(struct ltdb_context *ctx) > ldb_dn_get_linearized(req->op.search.base)); > } > >+ } else if (ldb_dn_validate(req->op.search.base) == false) { >+ >+ /* We don't want invalid base DNs here */ >+ ldb_asprintf_errstring(ldb, >+ "Invalid Base DN: %s", >+ ldb_dn_get_linearized(req->op.search.base)); >+ ret = LDB_ERR_INVALID_DN_SYNTAX; >+ > } else { > /* If we are not checking the base DN life is easy */ > ret = LDB_SUCCESS; >diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c >index 701427609e9..c7bf865de58 100644 >--- a/lib/ldb/ldb_tdb/ldb_tdb.c >+++ b/lib/ldb/ldb_tdb/ldb_tdb.c >@@ -515,6 +515,16 @@ static int ltdb_add_internal(struct ldb_module *module, > struct ldb_context *ldb = ldb_module_get_ctx(module); > int ret = LDB_SUCCESS; > unsigned int i; >+ bool valid_dn = false; >+ >+ /* Check the new DN is reasonable */ >+ valid_dn = ldb_dn_validate(msg->dn); >+ if (valid_dn == false) { >+ ldb_asprintf_errstring(ldb_module_get_ctx(module), >+ "Invalid DN in ADD: %s", >+ ldb_dn_get_linearized(msg->dn)); >+ return LDB_ERR_INVALID_DN_SYNTAX; >+ } > > for (i=0;i<msg->num_elements;i++) { > struct ldb_message_element *el = &msg->elements[i]; >@@ -1292,6 +1302,7 @@ static int ltdb_rename(struct ltdb_context *ctx) > int ret = LDB_SUCCESS; > TDB_DATA tdb_key, tdb_key_old; > struct ldb_dn *db_dn; >+ bool valid_dn = false; > > ldb_request_set_state(req, LDB_ASYNC_PENDING); > >@@ -1304,10 +1315,24 @@ static int ltdb_rename(struct ltdb_context *ctx) > return LDB_ERR_OPERATIONS_ERROR; > } > >+ /* Check the new DN is reasonable */ >+ valid_dn = ldb_dn_validate(req->op.rename.newdn); >+ if (valid_dn == false) { >+ ldb_asprintf_errstring(ldb_module_get_ctx(module), >+ "Invalid New DN: %s", >+ ldb_dn_get_linearized(req->op.rename.newdn)); >+ return LDB_ERR_INVALID_DN_SYNTAX; >+ } >+ > /* we need to fetch the old record to re-add under the new name */ > ret = ltdb_search_dn1(module, req->op.rename.olddn, msg, > LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC); >- if (ret != LDB_SUCCESS) { >+ if (ret == LDB_ERR_INVALID_DN_SYNTAX) { >+ ldb_asprintf_errstring(ldb_module_get_ctx(module), >+ "Invalid Old DN: %s", >+ ldb_dn_get_linearized(req->op.rename.newdn)); >+ return ret; >+ } else if (ret != LDB_SUCCESS) { > /* not finding the old record is an error */ > return ret; > } >-- >2.17.1 > > >From 439a73f7f8272fc6322b30afd9f44446ac01726e Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 May 2018 15:25:58 +1200 >Subject: [PATCH 6/6] CVE-2018-1140 ldb: Add tests for search add and rename > with a bad dn= DN > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/tests/python/api.py | 156 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 156 insertions(+) > >diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py >index a62b241444b..48fac887f1c 100755 >--- a/lib/ldb/tests/python/api.py >+++ b/lib/ldb/tests/python/api.py >@@ -401,6 +401,19 @@ class SimpleLdb(LdbBaseTest): > finally: > l.delete(ldb.Dn(l, "dc=bar")) > >+ def test_rename_bad_string_dns(self): >+ l = ldb.Ldb(self.url(), flags=self.flags()) >+ m = ldb.Message() >+ m.dn = ldb.Dn(l, "dc=foo8") >+ m["bla"] = b"bla" >+ m["objectUUID"] = b"0123456789abcdef" >+ self.assertEqual(len(l.search()), 0) >+ l.add(m) >+ self.assertEqual(len(l.search()), 1) >+ self.assertRaises(ldb.LdbError,lambda: l.rename("dcXfoo8", "dc=bar")) >+ self.assertRaises(ldb.LdbError,lambda: l.rename("dc=foo8", "dcXbar")) >+ l.delete(ldb.Dn(l, "dc=foo8")) >+ > def test_empty_dn(self): > l = ldb.Ldb(self.url(), flags=self.flags()) > self.assertEqual(0, len(l.search())) >@@ -1143,6 +1156,110 @@ class SearchTests(LdbBaseTest): > # At some point we should fix this, but it isn't trivial > self.assertEqual(len(res11), 1) > >+ def test_distinguishedName_filter_one(self): >+ """Testing that a distinguishedName= filter succeeds >+ when the scope is SCOPE_ONELEVEL. >+ >+ This should be made more consistent, but for now lock in >+ the behaviour >+ >+ """ >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_ONELEVEL, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)") >+ self.assertEqual(len(res11), 1) >+ >+ def test_distinguishedName_filter_subtree(self): >+ """Testing that a distinguishedName= filter succeeds >+ when the scope is SCOPE_SUBTREE""" >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_SUBTREE, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)") >+ self.assertEqual(len(res11), 1) >+ >+ def test_distinguishedName_filter_base(self): >+ """Testing that (incorrectly) a distinguishedName= filter works >+ when the scope is SCOPE_BASE""" >+ >+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_BASE, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)") >+ >+ # At some point we should fix this, but it isn't trivial >+ self.assertEqual(len(res11), 1) >+ >+ def test_bad_dn_filter_base(self): >+ """Testing that a dn= filter on an invalid DN works >+ when the scope is SCOPE_BASE but >+ returns zero results""" >+ >+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_BASE, >+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)") >+ >+ # At some point we should fix this, but it isn't trivial >+ self.assertEqual(len(res11), 0) >+ >+ >+ def test_bad_dn_filter_one(self): >+ """Testing that a dn= filter succeeds but returns zero >+ results when the DN is not valid on a SCOPE_ONELEVEL search >+ >+ """ >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_ONELEVEL, >+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)") >+ self.assertEqual(len(res11), 0) >+ >+ def test_bad_dn_filter_subtree(self): >+ """Testing that a dn= filter succeeds but returns zero >+ results when the DN is not valid on a SCOPE_SUBTREE search >+ >+ """ >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_SUBTREE, >+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)") >+ self.assertEqual(len(res11), 0) >+ >+ def test_bad_distinguishedName_filter_base(self): >+ """Testing that a distinguishedName= filter on an invalid DN works >+ when the scope is SCOPE_BASE but >+ returns zero results""" >+ >+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_BASE, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)") >+ >+ # At some point we should fix this, but it isn't trivial >+ self.assertEqual(len(res11), 0) >+ >+ >+ def test_bad_distinguishedName_filter_one(self): >+ """Testing that a distinguishedName= filter succeeds but returns zero >+ results when the DN is not valid on a SCOPE_ONELEVEL search >+ >+ """ >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_ONELEVEL, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)") >+ self.assertEqual(len(res11), 0) >+ >+ def test_bad_distinguishedName_filter_subtree(self): >+ """Testing that a distinguishedName= filter succeeds but returns zero >+ results when the DN is not valid on a SCOPE_SUBTREE search >+ >+ """ >+ >+ res11 = self.l.search(base="DC=SAMBA,DC=ORG", >+ scope=ldb.SCOPE_SUBTREE, >+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)") >+ self.assertEqual(len(res11), 0) >+ > > class IndexedSearchTests(SearchTests): > """Test searches using the index, to ensure the index doesn't >@@ -1291,6 +1408,17 @@ class AddModifyTests(LdbBaseTest): > enum = err.args[0] > self.assertEqual(enum, ldb.ERR_ENTRY_ALREADY_EXISTS) > >+ def test_add_bad(self): >+ try: >+ self.l.add({"dn": "BAD,DC=SAMBA,DC=ORG", >+ "name": b"Admins", >+ "x": "z", "y": "a", >+ "objectUUID": b"0123456789abcde1"}) >+ self.fail("Should have failed adding entry with invalid DN") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ > def test_add_del_add(self): > self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG", > "name": b"Admins", >@@ -1372,6 +1500,34 @@ class AddModifyTests(LdbBaseTest): > enum = err.args[0] > self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT) > >+ def test_move_bad(self): >+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG", >+ "name": b"Admins", >+ "x": "z", "y": "a", >+ "objectUUID": b"0123456789abcde2"}) >+ >+ try: >+ self.l.rename("OUXDUP,DC=SAMBA,DC=ORG", >+ "OU=DUP2,DC=SAMBA,DC=ORG") >+ self.fail("Should have failed on invalid DN") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ >+ def test_move_bad2(self): >+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG", >+ "name": b"Admins", >+ "x": "z", "y": "a", >+ "objectUUID": b"0123456789abcde2"}) >+ >+ try: >+ self.l.rename("OU=DUP,DC=SAMBA,DC=ORG", >+ "OUXDUP2,DC=SAMBA,DC=ORG") >+ self.fail("Should have failed on missing") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ > def test_move_fail_move_add(self): > self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG", > "name": b"Admins", >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13374
:
14113
|
14206
|
14207
|
14208
|
14267
|
14270
|
14271
|
14272
|
14273
|
14274
|
14275
|
14276
|
14278
|
14279
|
14282
|
14283
|
14289
|
14290
|
14295
|
14296
|
14297
|
14316
|
14317
|
14418
|
14419