Skip to content

Issue 6367 - RFE support of Session Tracking Control internet draft#6403

Merged
tbordaz merged 1 commit into
389ds:mainfrom
tbordaz:issue_6367
Nov 29, 2024
Merged

Issue 6367 - RFE support of Session Tracking Control internet draft#6403
tbordaz merged 1 commit into
389ds:mainfrom
tbordaz:issue_6367

Conversation

@tbordaz
Copy link
Copy Markdown
Contributor

@tbordaz tbordaz commented Nov 13, 2024

Bug description:
This RFE is to support https://datatracker.ietf.org/doc/html/draft-wahl-ldap-session-03
In short, it allows a client to send strings in a control.
Those strings are added to the operation result logged in the
access logs.
Those strings are meaningful for the client (debug,
kmonitoring,...).

Fix description:
The design is https://www.port389.org/docs/389ds/design/session-identifier-in-logs.html

fixes: #6367

Reviewed by:

@Firstyear
Copy link
Copy Markdown
Contributor

Firstyear commented Nov 13, 2024

This is potentially an RCE due to ascii control characters when viewed by an admin.

@tbordaz
Copy link
Copy Markdown
Contributor Author

tbordaz commented Nov 13, 2024

Thank @Firstyear for the rapid review. I assume RCE means remote code execution. I agree that taking client data requires careful checking. This data is ascii printable, less than 64K long. It is truncated to 15 first chars that are print in the log. Those chars (15bytes) are stored in the pblock. How can it be a RCE ?

@progier389
Copy link
Copy Markdown
Contributor

progier389 commented Nov 13, 2024
edited
Loading

Not sure if it is really a RCE but anyway I think that @Firstyear concern is valid:
Logging directly the tag could be tricky for admin reading or running script on the log files and generates problems.
We should better escape the tag when logging it in access log to avoid bad surprise.

progier389
progier389 reviewed Nov 13, 2024
View reviewed changes
Comment thread ldap/servers/slapd/result.c Outdated
progier389
progier389 reviewed Nov 13, 2024
View reviewed changes
Comment thread ldap/servers/slapd/control.c Outdated
progier389
progier389 reviewed Nov 13, 2024
View reviewed changes
Comment thread ldap/servers/slapd/control.c
@Firstyear
Copy link
Copy Markdown
Contributor

Firstyear commented Nov 13, 2024

@tbordaz ascii control characters - there is a method of adding them into a log such than an admin who views the log will trigger code to exec in their shell.

You need to filter our ascii control chars is generally the easiest fix.

progier389
progier389 reviewed Nov 15, 2024
View reviewed changes
Comment thread dirsrvtests/tests/suites/session_tracking/session_test.py
progier389
progier389 reviewed Nov 15, 2024
View reviewed changes
Comment thread ldap/servers/slapd/control.c
@tbordaz tbordaz force-pushed the issue_6367 branch 2 times, most recently from 8f04829 to 07aaac9 Compare November 18, 2024 14:20
@progier389
Copy link
Copy Markdown
Contributor

progier389 commented Nov 29, 2024

Looks good except a few minor points:
code simplification (ber parsing and redundant size testing)
and more importantly an error message that IMHO should be changed

progier389
progier389 reviewed Nov 29, 2024
View reviewed changes
Comment thread ldap/servers/slapd/control.c Outdated
Comment thread ldap/servers/slapd/control.c Outdated
Comment thread ldap/servers/slapd/abandon.c
@tbordaz
Issue 6367 - RFE support of Session Tracking Control internet draft
84ca0dc 
Bug description:
	This RFE is to support https://datatracker.ietf.org/doc/html/draft-wahl-ldap-session-03
	In short, it allows a client to send strings in a control.
	Those strings are added to the operation result logged in the
	access logs.
	Those strings are meaningful for the client (debug,
	kmonitoring,...).

Fix description:
	The design is https://www.port389.org/docs/389ds/design/session-identifier-in-logs.html

fixes: 389ds#6367

Reviewed by: William Brown, Pierre Rogier (Thanks !!!)
progier389
progier389 approved these changes Nov 29, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@progier389 progier389 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tbordaz tbordaz merged commit fd62700 into 389ds:main Nov 29, 2024
tbordaz added a commit that referenced this pull request Feb 11, 2025
@tbordaz
Issue 6367 - RFE support of Session Tracking Control internet draft (#…
fec8bfb 
…6403)

Bug description:
	This RFE is to support https://datatracker.ietf.org/doc/html/draft-wahl-ldap-session-03
	In short, it allows a client to send strings in a control.
	Those strings are added to the operation result logged in the
	access logs.
	Those strings are meaningful for the client (debug,
	kmonitoring,...).

Fix description:
	The design is https://www.port389.org/docs/389ds/design/session-identifier-in-logs.html

fixes: #6367

Reviewed by: William Brown, Pierre Rogier (Thanks !!!)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@progier389 progier389 progier389 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RFE support of Session Tracking Control internet draft

3 participants

@tbordaz @Firstyear @progier389