[Freeipa-devel] [PATCH] fix self-service uid change
Rob Crittenden
rcritten at redhat.com
Tue Apr 22 20:05:24 UTC 2008
Rob Crittenden wrote:
> I try to do some sanity checks to be sure that the user we're changing
> is the one that was pulled up to edit to prevent injection attacks. In
> this case I was using the wrong uid field to be sure that in the case of
> a self-service edit the user doing the editing is the user logged in.
>
> The uid wasn't matching it was being rejected, but that is of course the
> point because comparison.
>
>
New patch. Simo hit me up in #freeipa with some questions and concerns.
uid_hidden is kinda poorly named. It really should be uid_orig or something.
In any case, it is what we loaded vs what we are now. We use the TG user
context to tell who we really are. I've fixed a bug there too. At one
time I assumed that uid == principalname - REALM. This no longer assumes
that and sets the name being displayed as "logged in" as the uid.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-4-changuid.patch
Type: text/x-patch
Size: 2711 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080422/522bcfaa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080422/522bcfaa/attachment-0001.bin>
More information about the Freeipa-devel
mailing list