View Issue Details

IDProjectCategoryView StatusLast Update
0005913SOGoBackend Generalpublic2024-02-07 13:01
Reportermdom Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformServerOSLinux DebianOS Version12
Product Version5.9.1 
Summary0005913: Endless Loop in SOGo When LDAP Group Contains User with Same Name
Description

When SOGo encounters an LDAP group that contains a user with the same name as the group, it attempts to resolve this as a subgroup. Since the subgroup has the same identifier, SOGo repeatedly tries to resolve this subgroup, resulting in an endless loop. This loop continues until either the LDAP server or the SOGo server runs out of file descriptors, leading to potential service disruption or denial of service.

Steps To Reproduce
  • Create an LDAP group with a name (e.g., GroupName).
  • Add a user to the LDAP directory with the same name as the group (GroupName).
  • Attempt to access or utilize the group in SOGo.
Additional Information

The provided patch successfully addresses the issue at hand. However, I acknowledge that it may not be a universally applicable solution. Perhaps introducing an option to enable or disable subgroup decomposition could be considered?

Tagsldap

Activities

mdom

mdom

2024-01-09 09:29

reporter  

disableSubgroups.diff (1,777 bytes)   
--- sogo-5.9.1.20240108.orig/SoObjects/SOGo/LDAPSource.m
+++ sogo-5.9.1.20240108/SoObjects/SOGo/LDAPSource.m
@@ -2289,7 +2289,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
   SOGoUserManager *um;
   NSDictionary *d, *contactInfos;
   SOGoUser *user;
-  NSArray *o, *subusers, *logins;
+  NSArray *o, *logins;
   NSAutoreleasePool *pool;
   int i, c;
   NGLdapEntry *entry;
@@ -2339,16 +2339,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
               user = [SOGoUser userWithLogin: login  roles: nil];
               if (user)
                 {
-                  contactInfos = [self lookupContactEntryWithUIDorEmail: login inDomain: nil];
-                  if ([contactInfos objectForKey: @"isGroup"])
-                    {
-                      subusers = [self membersForGroupWithUID: login];
-                      [members addObjectsFromArray: subusers];
-                    }
-                  else
-                    {
                       [members addObject: user];
-                    }
                 }
               [pool release];
             }
@@ -2361,16 +2352,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
               user = [SOGoUser userWithLogin: login  roles: nil];
               if (user)
                 {
-                  contactInfos = [self lookupContactEntryWithUIDorEmail: login inDomain: nil];
-                  if ([contactInfos objectForKey: @"isGroup"])
-                    {
-                      subusers = [self membersForGroupWithUID: login];
-                      [members addObjectsFromArray: subusers];
-                    }
-                  else
-                    {
                       [members addObject: user];
-                    }
                 }
               [pool release];
             }
disableSubgroups.diff (1,777 bytes)   

Issue History

Date Modified Username Field Change
2024-01-09 09:29 mdom New Issue
2024-01-09 09:29 mdom Tag Attached: ldap
2024-01-09 09:29 mdom File Added: disableSubgroups.diff