From e6fdb916bffdb14d9ebf72cf6bd4d3f8deba8274 Mon Sep 17 00:00:00 2001 From: fram3d Date: Fri, 5 Jan 2024 06:46:34 +0100 Subject: [PATCH] santize user input and ldap records --- luser/models.py | 14 +++++++++++--- luser/routes.py | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/luser/models.py b/luser/models.py index a2869eb..7a6f8a3 100644 --- a/luser/models.py +++ b/luser/models.py @@ -25,8 +25,11 @@ class LUSER(): for i in alluids: i_uid = i['attributes']['uidNumber'] - if int(i_uid) > max: - max = int(i_uid) + if type(i_uid) is str or type(i_uid) is int: + i_uid = int(i_uid) + + if i_uid > max: + max = i_uid return max @@ -224,4 +227,9 @@ class LUSER(): self.ldapconnection.search(search_base=self.base,search_filter=f'(&(objectClass=inetOrgPerson)(uid={user}))', attributes=['userPassword']) # Return userPassword attribute from the response - return self.ldapconnection.response[0]['attributes']['userPassword'][0].decode('utf-8') + userpass = self.ldapconnection.response[0]['attributes']['userPassword'][0] + + if type(userpass) is bytes: + userpass = userpass.decode('utf-8') + + return userpass diff --git a/luser/routes.py b/luser/routes.py index 1f87279..1f0a481 100644 --- a/luser/routes.py +++ b/luser/routes.py @@ -127,8 +127,8 @@ def register(): return 'Error: uppercase characters in username are not allowed' # Check lenght of username - if len(username) < 1: - return 'Error: username is too short' + if len(username) < 1 or len(username) > 30: + return 'Error: username has to be between 1 and 30 characters long' # Check if username is alphanumeric if not username.isalnum():