[REPO-1912] SecurityManager doesn't sanitize userId in case of external providers to get memberships - Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.2.0
Component/s: None
Labels:
- client-service-team

Description

Consider method SecurityManager#getMemberships on master:

private Set<String> getMemberships(String rawUserId, String providerId) {
    try {
        if (providers.containsKey(providerId)) {
            // bug: no sanitizeUserId here!
            return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId);
        } else {
            return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId));
        }
    } catch (RepositoryException e) {
        log.warn("Unable to get memberships for userId: " + rawUserId, e);
        return null;
    }
}

Only in the "else" branch, sanitizeUserId(rawUserId), is called. It checks for case sensitivity on the providers user manager.

Not sanitizing the raw user id for non-internal providers breaks the login functionality for an external provider with case-insensitive LDAP integration.

A client's use case with this set up needed to fork the class with an extra sanitizeUserId() call in the "if" branch to work.

Attachments

Issue Links

is backported by

REPO-1925 [Back port to 12.1] SecurityManager doesn't sanitize userId in case of external providers to get memberships

Closed

REPO-1926 [Back port to 12.0] SecurityManager doesn't sanitize userId in case of external providers to get memberships

Closed

REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case of external providers to get memberships

Closed

Activity

People

Assignee:: Client Service Team

Reporter:: Jeroen Hoffman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Dec/17 1:07 PM

Updated:: 22/Jan/18 2:59 PM

Resolved:: 16/Jan/18 12:18 PM