samba.git/python/samba/tests/usage.py, branch master Unnamed repository; edit this file 'description' to name the repository. CVE-2025-10230: s4/tests: check that wins hook sanitizes names 2025-10-21T18:40:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-09-09T01:36:16+00:00 90b01ac9029169f0a185e74233a71b19a1b4acf0 An smb.conf can contain a 'wins hook' parameter, which names a script to run when a WINS name is changed. The man page says The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. Legal names contain only letters, digits, hyphens, underscores and periods. but it turns out the legality check is not performed if the WINS server in question is the source4 nbt one. It is not expected that people will run this server, but they can. This is bad because the name is passed unescaped into a shell command line, allowing command injection. For this test we don't care whether the WINS server is returning an error code, just whether it is running the wins hook. The tests show it often runs the hook it shouldn't, though some characters are incidentally blocked because the name has to fit in a DN before it gets to the hook, and DNs have a few syntactic restrictions (e.g., blocking '<', '>', and ';'). The source3 WINS server that is used by Samba when not run as a DC is not affected and not here tested. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
An smb.conf can contain a 'wins hook' parameter, which names a script
to run when a WINS name is changed. The man page says

    The second argument is the NetBIOS name. If the name is not a
    legal name then the wins hook is not called. Legal names contain
    only letters, digits, hyphens, underscores and periods.

but it turns out the legality check is not performed if the WINS
server in question is the source4 nbt one. It is not expected that
people will run this server, but they can. This is bad because the
name is passed unescaped into a shell command line, allowing command
injection.

For this test we don't care whether the WINS server is returning an
error code, just whether it is running the wins hook. The tests show
it often runs the hook it shouldn't, though some characters are
incidentally blocked because the name has to fit in a DN before it
gets to the hook, and DNs have a few syntactic restrictions (e.g.,
blocking '<', '>', and ';').

The source3 WINS server that is used by Samba when not run as a DC is
not affected and not here tested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Fix usage test broken by rust vendor sources 2024-10-23T14:21:34+00:00 David Mulder dmulder@samba.org 2024-08-29T20:09:56+00:00 a18c6ff20bc9eaacc1c5caa3923ce0b38b96ad0c Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
python/blackbox: add rpcd_witness_samba_only.py test 2024-01-26T17:00:33+00:00 Stefan Metzmacher metze@samba.org 2024-01-10T14:11:24+00:00 b17e090e7c1b864eb6e8a9663c6145fb97d91e0f This tests the witness service and its interaction with ctdb. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> 
This tests the witness service and its interaction with
ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
python:tests: Move NDR tests to their own directory 2023-11-20T21:50:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-11-20T02:46:16+00:00 21a3f60cfc783d07994b29696c7a75e2372dd114 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Ensure that we don’t overwrite tests 2023-05-29T22:32:28+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-25T05:03:48+00:00 fb759809f89d8277542b1106d39939f32a04778e If the file iterator returns two entries with the same name, one may overwrite the other. script_iterator() currently ensures this won’t happen, but it pays to be safe. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
If the file iterator returns two entries with the same name, one may
overwrite the other.

script_iterator() currently ensures this won’t happen, but it pays to be
safe.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Remove unused imports 2023-05-29T22:32:28+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-25T04:57:36+00:00 2009166efd40f39cc29a7cf0a3cf97d73df6678d Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python:tests: Exclude Python test directories 2023-05-29T22:32:28+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-25T04:58:30+00:00 c51bffa8fdcac6f0d49fb4cc7656ab789ab50bc2 Practically all of our Kerberos tests are excluded already. Many of our tests aren’t marked as executable, and so aren’t being checked anyway. Rather than having a large list of exclusions which one may easily forget to update, just exclude the test directories. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Practically all of our Kerberos tests are excluded already. Many of our
tests aren’t marked as executable, and so aren’t being checked anyway.
Rather than having a large list of exclusions which one may easily
forget to update, just exclude the test directories.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Add tests for authentication policies 2023-05-18T01:03:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-04T01:53:06+00:00 84a7ae8e0c7730e03161d69b5ca55436cfc5b066 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest: Add python test that verifies that we can parse a PAC 2023-03-31T01:48:30+00:00 Andrew Bartlett abartlet@samba.org 2023-03-27T01:19:51+00:00 2cba54ba30e96dafb5a49f11defdb08efcc19590 This give us a building block to test the PAC claims format Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This give us a building block to test the PAC claims format

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
tests/krb5: Add tests for device info 2023-03-08T04:39:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-03-02T22:48:22+00:00 0ac800d0081fb893effaa555d3117102556a7b75 These tests verify that the groups in the device info structure in the PAC are exactly as expected under various scenarios. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>