[Freeipa-devel] [PATCH] fix self-service uid change

Rob Crittenden rcritten at redhat.com
Tue Apr 22 20:05:24 UTC 2008

Rob Crittenden wrote:
> I try to do some sanity checks to be sure that the user we're changing 
> is the one that was pulled up to edit to prevent injection attacks. In 
> this case I was using the wrong uid field to be sure that in the case of 
> a self-service edit the user doing the editing is the user logged in.
> The uid wasn't matching it was being rejected, but that is of course the 
> point because comparison.

New patch. Simo hit me up in #freeipa with some questions and concerns.

uid_hidden is kinda poorly named. It really should be uid_orig or something.

In any case, it is what we loaded vs what we are now. We use the TG user 
context to tell who we really are. I've fixed a bug there too. At one 
time I assumed that uid == principalname - REALM. This no longer assumes 
that and sets the name being displayed as "logged in" as the uid.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-4-changuid.patch
Type: text/x-patch
Size: 2711 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080422/522bcfaa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080422/522bcfaa/attachment-0001.bin>

More information about the Freeipa-devel mailing list