From 6eeadd3e2f7c0ce30810eea1539844005c2d123c Mon Sep 17 00:00:00 2001
From: equinox <equinox@diac24.net>
Date: Thu, 29 Sep 2011 23:34:18 +0200
Subject: fix "minor" bugs - including LDAP injection ;)

---
 index.py | 11 ++++++-----
 ja.po    |  4 ++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/index.py b/index.py
index 27c1a08..42862ab 100755
--- a/index.py
+++ b/index.py
@@ -11,7 +11,8 @@ from tmpl import expose, render, _
 from lxml import etree
 from lxml.html import formfill
 from StringIO import StringIO
-import ldap
+import ldap, ldap.filter
+ldapf = ldap.filter.filter_format
 import mx.DateTime, urllib
 from accountservice import accountservice
 import ticket
@@ -55,7 +56,7 @@ class SubdapSite(object):
 		return render(errors = {}, username = username)
 
 	def login_perform(s, username, password):
-		dn = "cn=%s,ou=people,dc=sublab,dc=org" % (username)
+		dn = ldapf("cn=%s,ou=people,dc=sublab,dc=org", [username])
 		try:
 			l = ldap.initialize('ldap://oberon.local.sublab.org/')
 			l.start_tls_s()
@@ -79,7 +80,7 @@ class SubdapSite(object):
 
 		try:	l, dn = s.login_perform(username, password)
 		except LoginError, e:
-			return render(errors = {'password': str(e)})
+			return render(errors = {'password': unicode(e)})
 
 		return s.selectpage(l, dn)
 	
@@ -142,13 +143,13 @@ class SubdapSite(object):
 
 		try:	l, dn = s.login_perform(username, oldpassword)
 		except LoginError, e:
-			return render(errors = {'oldpassword': str(e)}, username = username)
+			return render(errors = {'oldpassword': unicode(e)}, username = username)
 
 		import kerberos
 		try:
 			assert kerberos.changePassword(username + '@SUBLAB.ORG', oldpassword, password) == True
 		except kerberos.PwdChangeError, e:
-			return render(errors = {'password2': str(e[0])}, username = username)
+			return render(errors = {'password2': unicode(e[0])}, username = username)
 
 		if os.fork() == 0:
 			accountservice.kprop()
diff --git a/ja.po b/ja.po
index 6d3e1c5..49958c6 100644
--- a/ja.po
+++ b/ja.po
@@ -121,8 +121,8 @@ msgid ""
 "  password will work."
 msgstr ""
 "[1:パスワードが改めされました][2:]\n"
-"  けど、「ケルベロスの[3:３つ頭]」は数分後まで立て込む。\n"
-"  まえのパスワードか新しいパスワードか使える可能性があります。"
+"けど、「ケルベロスの[3:３つ頭]」は数分後まで立て込む。"
+"まえのパスワードか新しいパスワードか使える可能性があります。"
 
 #: templates/select.html:20
 #, python-format
-- 
cgit v1.2.1