0005913: Endless Loop in SOGo When LDAP Group Contains User with Same Name - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0005913	SOGo	Backend General	public	2024-01-09 09:29	2024-02-27 13:16

Reporter	mdom	Assigned To	sebastien
Priority	normal	Severity	major	Reproducibility	always
Status	assigned	Resolution	open
Platform	Server	OS	Linux Debian	OS Version	12
Product Version	5.9.1

Summary	0005913: Endless Loop in SOGo When LDAP Group Contains User with Same Name
Description	When SOGo encounters an LDAP group that contains a user with the same name as the group, it attempts to resolve this as a subgroup. Since the subgroup has the same identifier, SOGo repeatedly tries to resolve this subgroup, resulting in an endless loop. This loop continues until either the LDAP server or the SOGo server runs out of file descriptors, leading to potential service disruption or denial of service.
Steps To Reproduce	Create an LDAP group with a name (e.g., GroupName). Add a user to the LDAP directory with the same name as the group (GroupName). Attempt to access or utilize the group in SOGo.
Additional Information	The provided patch successfully addresses the issue at hand. However, I acknowledge that it may not be a universally applicable solution. Perhaps introducing an option to enable or disable subgroup decomposition could be considered?
Tags	ldap

mdom

2024-01-09 09:29

reporter

disableSubgroups.diff (1,777 bytes)

--- sogo-5.9.1.20240108.orig/SoObjects/SOGo/LDAPSource.m
+++ sogo-5.9.1.20240108/SoObjects/SOGo/LDAPSource.m
@@ -2289,7 +2289,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
   SOGoUserManager *um;
   NSDictionary *d, *contactInfos;
   SOGoUser *user;
-  NSArray *o, *subusers, *logins;
+  NSArray *o, *logins;
   NSAutoreleasePool *pool;
   int i, c;
   NGLdapEntry *entry;
@@ -2339,16 +2339,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
               user = [SOGoUser userWithLogin: login  roles: nil];
               if (user)
                 {
-                  contactInfos = [self lookupContactEntryWithUIDorEmail: login inDomain: nil];
-                  if ([contactInfos objectForKey: @"isGroup"])
-                    {
-                      subusers = [self membersForGroupWithUID: login];
-                      [members addObjectsFromArray: subusers];
-                    }
-                  else
-                    {
                       [members addObject: user];
-                    }
                 }
               [pool release];
             }
@@ -2361,16 +2352,7 @@ _makeLDAPChanges (NGLdapConnection *ldap
               user = [SOGoUser userWithLogin: login  roles: nil];
               if (user)
                 {
-                  contactInfos = [self lookupContactEntryWithUIDorEmail: login inDomain: nil];
-                  if ([contactInfos objectForKey: @"isGroup"])
-                    {
-                      subusers = [self membersForGroupWithUID: login];
-                      [members addObjectsFromArray: subusers];
-                    }
-                  else
-                    {
                       [members addObject: user];
-                    }
                 }
               [pool release];
             }

disableSubgroups.diff (1,777 bytes)

Date Modified	Username	Field	Change
2024-01-09 09:29	mdom	New Issue
2024-01-09 09:29	mdom	Tag Attached: ldap
2024-01-09 09:29	mdom	File Added: disableSubgroups.diff
2024-02-27 13:16	sebastien	Assigned To	=> sebastien
2024-02-27 13:16	sebastien	Status	new => assigned

View Issue Details

Activities

Issue History