santize user input and ldap records

2024-01-05 06:46:34 +01:00 · 2024-01-05 06:46:34 +01:00 · e6fdb916bf
commit e6fdb916bf
parent 1da508d0d6
2 changed files with 13 additions and 5 deletions
--- a/luser/models.py
+++ b/luser/models.py
@ -25,8 +25,11 @@ class LUSER():

        for i in alluids:
            i_uid = i['attributes']['uidNumber']
-            if int(i_uid) > max:
-                max = int(i_uid)
+            if type(i_uid) is str or type(i_uid) is int:
+                i_uid = int(i_uid)
+
+                if i_uid > max:
+                    max = i_uid

        return max

@ -224,4 +227,9 @@ class LUSER():
        self.ldapconnection.search(search_base=self.base,search_filter=f'(&(objectClass=inetOrgPerson)(uid={user}))', attributes=['userPassword'])

        # Return userPassword attribute from the response
-        return self.ldapconnection.response[0]['attributes']['userPassword'][0].decode('utf-8')
+        userpass = self.ldapconnection.response[0]['attributes']['userPassword'][0]
+        
+        if type(userpass) is bytes:
+            userpass = userpass.decode('utf-8')
+
+        return userpass
--- a/luser/routes.py
+++ b/luser/routes.py
@ -127,8 +127,8 @@ def register():
            return 'Error: uppercase characters in username are not allowed'

        # Check lenght of username
-        if len(username) < 1:
-            return 'Error: username is too short'
+        if len(username) < 1 or len(username) > 30:
+            return 'Error: username has to be between 1 and 30 characters long'

        # Check if username is alphanumeric
        if not username.isalnum():