packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0003-CVE-2023-4154.patch

430 lines
23 KiB
Diff
Raw Blame History

From e8df1a60866651678ce99d730f6a5e4bcc671b1d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 2 Aug 2023 10:44:32 +0200
Subject: [PATCH 08/28] CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
[PATCH 08/28] CVE-2023-4154 s4:dsdb:tests: Fix code spelling
---
source4/dsdb/tests/python/acl.py | 12 ++++++------
.../dsdb/tests/python/ad_dc_search_performance.py | 2 +-
source4/dsdb/tests/python/confidential_attr.py | 2 +-
source4/dsdb/tests/python/dirsync.py | 8 ++++----
source4/dsdb/tests/python/ldap.py | 14 +++++++-------
source4/dsdb/tests/python/ldap_modify_order.py | 4 ++--
source4/dsdb/tests/python/ldap_syntaxes.py | 4 ++--
source4/dsdb/tests/python/login_basics.py | 2 +-
source4/dsdb/tests/python/password_settings.py | 4 ++--
source4/dsdb/tests/python/passwords.py | 4 ++--
source4/dsdb/tests/python/sam.py | 2 +-
source4/dsdb/tests/python/sec_descriptor.py | 14 +++++++-------
source4/dsdb/tests/python/token_group.py | 4 ++--
source4/dsdb/tests/python/user_account_control.py | 2 +-
14 files changed, 39 insertions(+), 39 deletions(-)
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index ee6b5ae5cf6..280913d9b1c 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -228,7 +228,7 @@ class AclAddTests(AclTests):
self.assertEqual(len(res), 0)
def test_add_u1(self):
- """Testing OU with the rights of Doman Admin not creator of the OU """
+ """Testing OU with the rights of Domain Admin not creator of the OU """
self.assert_top_ou_deleted()
# Change descriptor for top level OU
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
@@ -241,7 +241,7 @@ class AclAddTests(AclTests):
self.ldb_notowner.newgroup("test_add_group1", groupou="OU=test_add_ou2,OU=test_add_ou1",
grouptype=samba.dsdb.GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)
# Make sure we HAVE created the two objects -- user and group
- # !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
+ # !!! We should not be able to do that, but however because of ACE ordering our inherited Deny ACE
# !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
self.assertTrue(len(res) > 0)
@@ -302,7 +302,7 @@ class AclAddTests(AclTests):
self.assertEqual(len(res), 0)
def test_add_u4(self):
- """ 4 Testing OU with the rights of Doman Admin creator of the OU"""
+ """ 4 Testing OU with the rights of Domain Admin creator of the OU"""
self.assert_top_ou_deleted()
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
@@ -4298,7 +4298,7 @@ class AclDeleteTests(AclTests):
self.assertEqual(len(res), 0)
def test_delete_u3(self):
- """User indentified by SID has RIGHT_DELETE to another User object"""
+ """User identified by SID has RIGHT_DELETE to another User object"""
user_dn = self.get_user_dn("test_delete_user1")
# Create user that we try to delete
self.ldb_admin.newuser("test_delete_user1", self.user_pass)
@@ -4589,7 +4589,7 @@ class AclCARTests(AclTests):
minPwdAge = self.ldb_admin.get_minPwdAge()
# Reset the "minPwdAge" as it was before
self.addCleanup(self.ldb_admin.set_minPwdAge, minPwdAge)
- # Set it temporarely to "0"
+ # Set it temporarily to "0"
self.ldb_admin.set_minPwdAge("0")
self.user_with_wp = "acl_car_user1"
@@ -5045,7 +5045,7 @@ class AclUndeleteTests(AclTests):
self.sd_utils.dacl_add_ace(self.deleted_dn2, mod)
self.undelete_deleted(self.deleted_dn2, self.testuser2_dn)
- # attempt undelete with simultanious addition of url, WP to which is denied
+ # attempt undelete with simultaneous addition of url, WP to which is denied
mod = "(OD;;WP;9a9a0221-4a5b-11d1-a9c3-0000f80367c1;;%s)" % str(self.sid)
self.sd_utils.dacl_add_ace(self.deleted_dn3, mod)
try:
diff --git a/source4/dsdb/tests/python/ad_dc_search_performance.py b/source4/dsdb/tests/python/ad_dc_search_performance.py
index 0afd7a2582e..44e468097d8 100644
--- a/source4/dsdb/tests/python/ad_dc_search_performance.py
+++ b/source4/dsdb/tests/python/ad_dc_search_performance.py
@@ -180,7 +180,7 @@ class UserTests(samba.tests.TestCase):
maybe_not = ['!(', '']
joiners = ['&', '|']
- # The number of permuations is 18432, which is not huge but
+ # The number of permutations is 18432, which is not huge but
# would take hours to search. So we take a sample.
all_permutations = list(itertools.product(joiners,
classes, classes,
diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py
index eb75da6374f..8ca56bd1023 100755
--- a/source4/dsdb/tests/python/confidential_attr.py
+++ b/source4/dsdb/tests/python/confidential_attr.py
@@ -722,7 +722,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon):
self.attr_filters = [None, ["*"], ["name"]]
- # Note dirsync behaviour is slighty different for the attribute under
+ # Note dirsync behaviour is slightly different for the attribute under
# test - when you have full access rights, it only returns the objects
# that actually have this attribute (i.e. it doesn't return an empty
# message with just the DN). So we add the 'name' attribute into the
diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
index 1ac719e4332..ca0947e2d21 100755
--- a/source4/dsdb/tests/python/dirsync.py
+++ b/source4/dsdb/tests/python/dirsync.py
@@ -338,7 +338,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
self.assertEqual(len(res.msgs[0]), 3)
def test_dirsync_othernc(self):
- """Check that dirsync return information for entries that are normaly referrals (ie. other NCs)"""
+ """Check that dirsync return information for entries that are normally referrals (ie. other NCs)"""
res = self.ldb_admin.search(self.base_dn,
expression="(objectclass=configuration)",
attrs=["name"],
@@ -459,7 +459,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
delete_force(self.ldb_admin, ouname)
def test_dirsync_linkedattributes(self):
- """Check that dirsync returnd deleted objects too"""
+ """Check that dirsync returned deleted objects too"""
# Let's search for members
self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
res = self.ldb_simple.search(self.base_dn,
@@ -541,7 +541,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
self.assertEqual(len(res[0].get("member")), 0)
def test_dirsync_deleted_items(self):
- """Check that dirsync returnd deleted objects too"""
+ """Check that dirsync returned deleted objects too"""
# Let's create an OU
ouname = "OU=testou3,%s" % self.base_dn
self.ouname = ouname
@@ -712,7 +712,7 @@ class ExtendedDirsyncTests(SimpleDirsyncTests):
self.assertIn(b">;<SID=010500000000000515", resEX0[0]["member"][0])
def test_dirsync_deleted_items(self):
- """Check that dirsync returnd deleted objects too"""
+ """Check that dirsync returned deleted objects too"""
# Let's create an OU
self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
ouname = "OU=testou3,%s" % self.base_dn
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index a50a5f7b8d6..a8995782db5 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -155,7 +155,7 @@ class BasicTests(samba.tests.TestCase):
(num, _) = e.args
self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
- # We cannot instanciate from an abstract object class ("connectionPoint"
+ # We cannot instantiate from an abstract object class ("connectionPoint"
# or "leaf"). In the first case we use "connectionPoint" (subclass of
# "leaf") to prevent a naming violation - this returns us a
# "ERR_UNWILLING_TO_PERFORM" since it is not structural. In the second
@@ -178,7 +178,7 @@ class BasicTests(samba.tests.TestCase):
(num, _) = e.args
self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
- # Objects instanciated using "satisfied" abstract classes (concrete
+ # Objects instantiated using "satisfied" abstract classes (concrete
# subclasses) are allowed
self.ldb.add({
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -214,7 +214,7 @@ class BasicTests(samba.tests.TestCase):
"objectClass": "person"})
# We can remove derivation classes of the structural objectclass
- # but they're going to be readded afterwards
+ # but they're going to be re-added afterwards
m = Message()
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE,
@@ -1824,7 +1824,7 @@ delete: description
delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
def test_groupType_int32(self):
- """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
+ """Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparison)"""
res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
attrs=["groupType"], expression="groupType=2147483653")
@@ -2158,7 +2158,7 @@ servicePrincipalName: host/ldaptest2computer29
"givenname": "testy",
"sn": "ldap user2"})
- # Testing Ambigious Name Resolution
+ # Testing Ambiguous Name Resolution
# Testing ldb.search for (&(anr=ldap testy)(objectClass=user))
res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))")
self.assertEqual(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res))
@@ -2402,7 +2402,7 @@ member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
# Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes"
res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE)
- self.assertEqual(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?")
+ self.assertEqual(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistent with subtree renames?")
# Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn
try:
@@ -3002,7 +3002,7 @@ nTSecurityDescriptor: """ + sddl
delete_force(self.ldb, user_dn)
#
# Test modify_ldif() with SDDL security descriptor input
- # New desctiptor test
+ # New descriptor test
#
try:
self.ldb.add_ldif("""
diff --git a/source4/dsdb/tests/python/ldap_modify_order.py b/source4/dsdb/tests/python/ldap_modify_order.py
index 54f89597eab..80c4a3a7fe6 100644
--- a/source4/dsdb/tests/python/ldap_modify_order.py
+++ b/source4/dsdb/tests/python/ldap_modify_order.py
@@ -101,7 +101,7 @@ class ModifyOrderTests(samba.tests.TestCase):
clusters = {}
for i, attrs in enumerate(permutations(mod_attrs)):
- # for each permuation we construct a string describing the
+ # for each permutation we construct a string describing the
# requested operations, and a string describing the result
# (which may be an exception). The we cluster the
# attribute strings by their results.
@@ -249,7 +249,7 @@ class ModifyOrderTests(samba.tests.TestCase):
self._test_modify_order(start_attrs, mod_attrs)
def test_modify_order_inapplicable(self):
- #attrbutes that don't go on a user
+ #attributes that don't go on a user
start_attrs = [("objectclass", "user"),
("givenName", "a")]
diff --git a/source4/dsdb/tests/python/ldap_syntaxes.py b/source4/dsdb/tests/python/ldap_syntaxes.py
index d8efb3a105e..081c28073f1 100755
--- a/source4/dsdb/tests/python/ldap_syntaxes.py
+++ b/source4/dsdb/tests/python/ldap_syntaxes.py
@@ -210,7 +210,7 @@ name: """ + object_name + """
expression="(%s=S:5:ABCDE)" % self.dn_string_attribute)
self.assertEqual(len(res), 0)
- # search by DN+Stirng
+ # search by DN+String
res = self.ldb.search(base=self.base_dn,
scope=SCOPE_SUBTREE,
expression="(%s=S:5:ABCDE:%s)" % (self.dn_string_attribute, self.base_dn))
@@ -293,7 +293,7 @@ name: """ + object_name + """
self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
def test_dn_binary(self):
- # add obeject with correct value
+ # add object with correct value
object_name1 = "obj-DN-Binary1" + time.strftime("%s", time.gmtime())
ldif = self._get_object_ldif(object_name1, self.dn_binary_class_name, self.dn_binary_class_ldap_display_name,
self.dn_binary_attribute, ": B:4:1234:" + self.base_dn)
diff --git a/source4/dsdb/tests/python/login_basics.py b/source4/dsdb/tests/python/login_basics.py
index b186e723f39..19cdf3e67d7 100755
--- a/source4/dsdb/tests/python/login_basics.py
+++ b/source4/dsdb/tests/python/login_basics.py
@@ -75,7 +75,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
ldap_url = self.host_url
print("Performs a lockout attempt against LDAP using NTLM")
- # get the intial logon values for this user
+ # get the initial logon values for this user
res = self._check_account(userdn,
badPwdCount=0,
badPasswordTime=("greater", 0),
diff --git a/source4/dsdb/tests/python/password_settings.py b/source4/dsdb/tests/python/password_settings.py
index bac89f3e3c8..1fc0c05cdd4 100644
--- a/source4/dsdb/tests/python/password_settings.py
+++ b/source4/dsdb/tests/python/password_settings.py
@@ -300,7 +300,7 @@ class PasswordSettingsTestCase(PasswordTestCase):
self.set_attribute(group2, "member", group1)
self.assert_PSO_applied(user, group2_pso)
- # add another level to the group heirachy & check this PSO takes effect
+ # add another level to the group hierarchy & check this PSO takes effect
self.set_attribute(group3, "member", group2)
self.assert_PSO_applied(user, group3_pso)
@@ -727,7 +727,7 @@ class PasswordSettingsTestCase(PasswordTestCase):
# the msDS-ResultantPSO attribute on a user that doesn't exist yet (it
# won't have any group membership or PSOs applied directly against it yet).
# In theory it's possible to still get an applicable PSO via the user's
- # primaryGroupID (i.e. 'Domain Users' by default). However, testing aginst
+ # primaryGroupID (i.e. 'Domain Users' by default). However, testing against
# Windows shows that the PSO doesn't take effect during the user add
# operation. (However, the Windows GUI tools presumably adds the user in 2
# steps, because it does enforce the PSO for users added via the GUI).
diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py
index cd78be4e8b1..de69293da76 100755
--- a/source4/dsdb/tests/python/passwords.py
+++ b/source4/dsdb/tests/python/passwords.py
@@ -1365,12 +1365,12 @@ userPassword: thatsAcomplPASS4
def test_zero_length(self):
# Get the old "minPwdLength"
minPwdLength = self.ldb.get_minPwdLength()
- # Set it temporarely to "0"
+ # Set it temporarily to "0"
self.ldb.set_minPwdLength("0")
# Get the old "pwdProperties"
pwdProperties = self.ldb.get_pwdProperties()
- # Set them temporarely to "0" (to deactivate eventually the complexity)
+ # Set them temporarily to "0" (to deactivate eventually the complexity)
self.ldb.set_pwdProperties("0")
self.ldb.setpassword("(sAMAccountName=testuser)", "")
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 08365beb2c6..c413b0813e0 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -3775,7 +3775,7 @@ class SamTests(samba.tests.TestCase):
def test_protected_sid_objects(self):
"""Test deletion of objects with RID < 1000"""
# a list of some well-known sids
- # objects in Builtin are aready covered by objectclass
+ # objects in Builtin are already covered by objectclass
protected_list = [
["CN=Domain Admins", "CN=Users,"],
["CN=Schema Admins", "CN=Users,"],
diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
index 5410e9f7246..6f987078cbd 100755
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -684,7 +684,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
# Tests for SCHEMA
- # Defalt descriptor tests ##################################################################
+ # Default descriptor tests ##################################################################
def test_130(self):
user_name = "testuser1"
@@ -941,7 +941,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
# Tests for CONFIGURATION
- # Defalt descriptor tests ##################################################################
+ # Default descriptor tests ##################################################################
def test_160(self):
user_name = "testuser1"
@@ -2022,7 +2022,7 @@ class RightsAttributesTests(DescriptorTests):
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["sDRightsEffective"])
- # user whould have no rights at all
+ # user should have no rights at all
self.assertEqual(len(res), 1)
self.assertEqual(str(res[0]["sDRightsEffective"][0]), "0")
# give the user Write DACL and see what happens
@@ -2030,7 +2030,7 @@ class RightsAttributesTests(DescriptorTests):
self.sd_utils.dacl_add_ace(object_dn, mod)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["sDRightsEffective"])
- # user whould have DACL_SECURITY_INFORMATION
+ # user should have DACL_SECURITY_INFORMATION
self.assertEqual(len(res), 1)
self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % SECINFO_DACL)
# give the user Write Owners and see what happens
@@ -2038,14 +2038,14 @@ class RightsAttributesTests(DescriptorTests):
self.sd_utils.dacl_add_ace(object_dn, mod)
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["sDRightsEffective"])
- # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
+ # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self.assertEqual(len(res), 1)
self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
- # no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
+ # no way to grant security privilege bu adding ACE's so we use a member of Domain Admins
_ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["sDRightsEffective"])
- # user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
+ # user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self.assertEqual(len(res), 1)
self.assertEqual(str(res[0]["sDRightsEffective"][0]),
("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index bc2c4c71350..7126babb9cd 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -151,7 +151,7 @@ class StaticTokenTest(samba.tests.TestCase):
extra_sidset = set(extra_sids)
if len(missing_sidset.symmetric_difference(extra_sidset)):
- print("dn token sids unexpeted")
+ print("dn token sids unexpected")
print("tokengroups: %s" % dn_tokengroups)
print("user sids: %s" % self.user_sids)
print("actual difference: %s" % missing_sidset)
@@ -423,7 +423,7 @@ class DynamicTokenTest(samba.tests.TestCase):
extra_sidset = set(extra_sids)
if len(missing_sidset.symmetric_difference(extra_sidset)):
- print("dn token sids unexpeted")
+ print("dn token sids unexpected")
print("tokengroups: %s" % dn_tokengroups)
print("user sids: %s" % self.user_sids)
print("actual difference: %s" % missing_sidset)
diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index b54b33678dc..f0f8e85276c 100755
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -852,7 +852,7 @@ class UserAccountControlTests(samba.tests.TestCase):
self.add_computer_ldap(computername, others={"userAccountControl": [str(bit_add)]})
delete_force(self.admin_samdb, "CN=%s,%s" % (computername, self.OU))
if bit in priv_bits:
- self.fail("Unexpectdly able to set userAccountControl bit 0x%08X (%s) on %s"
+ self.fail("Unexpectedly able to set userAccountControl bit 0x%08X (%s) on %s"
% (bit, bit_str, computername))
except LdbError as e4:
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink