ldap: ignore undecodable attribute values (fixes #31232)

Tests augmented with a jpegPhot binary attribute.
2019-03-08 21:12:16 +01:00 · 2019-03-08 21:12:16 +01:00 · 9ec79b6d24
parent 8a68af0e48
commit 9ec79b6d24
2 changed files with 15 additions and 3 deletions
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@ -41,7 +41,7 @@ from authentic2.user_login_failure import user_login_failure, user_login_success
 from django_rbac.utils import get_ou_model
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.ldap_utils import FilterFormatter
-from authentic2.utils import utf8_encode
+from authentic2.utils import utf8_encode, to_list

 from authentic2.backends import is_user_authenticable

@ -60,6 +60,16 @@ for bundle_path in CA_BUNDLE_PATHS:
        DEFAULT_CA_BUNDLE = bundle_path
        break

+
+@to_list
+def filter_non_unicode_values(atvs):
+    for atv in atvs:
+        try:
+            yield atv.decode('utf-8')
+        except UnicodeDecodeError:
+            pass
+
+
 if PYTHON_LDAP3 is True:
    class LDAPObject(NativeLDAPObject):
        def __init__(self, uri, trace_level=0, trace_file=None,
@ -77,7 +87,7 @@ if PYTHON_LDAP3 is True:
            for dn, attrs in result_list:
                if dn is not None:
                    # tuple is a real entry with a DN not a search reference
-                    attrs = {attribute: map(force_text, attrs[attribute]) for attribute in attrs}
+                    attrs = {attribute: filter_non_unicode_values(attrs[attribute]) for attribute in attrs}
                yield dn, attrs

        def search_s(self, base, scope, filterstr='(objectclass=*)', attrlist=None, attrsonly=0):
@ -136,7 +146,7 @@ elif PYTHON_LDAP3 is False:
            for dn, attrs in result_list:
                if dn is not None:
                    # tuple is a real entry with a DN not a search reference
-                    attrs = {attribute: map(force_text, attrs[attribute]) for attribute in attrs}
+                    attrs = {attribute: filter_non_unicode_values(attrs[attribute]) for attribute in attrs}
                yield force_text(dn), attrs

        def search_s(self, base, scope, filterstr='(objectclass=*)', attrlist=None, attrsonly=0):
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@ -81,6 +81,7 @@ sn: Michu
 gn: Étienne
 l: Paris
 mail: etienne.michu@example.net
+jpegPhoto:: ACOE

 dn: cn=group1,o=ôrga
 objectClass: groupOfNames
@ -121,6 +122,7 @@ def test_simple(slapd, settings, client, db):
        'url': [slapd.ldap_url],
        'basedn': u'o=ôrga',
        'use_tls': False,
+        'attributes': ['jpegPhoto'],
    }]
    result = client.post('/login/', {'login-password-submit': '1',
                                     'username': USERNAME,