[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: possible small bug in acl.c



Looks like a bug.  I suggest you file an issue report.
Patch welcomed.  http://www.openldap.org/its/

Kurt

At 05:35 AM 2002-01-07, Mark Blackman wrote:

>First of all, let me say thanks for all the work that has been
>put in get openldap to this level.
>
>I'm posting this to the developers list as I need help interpreting the
>intentions of the coders as expressed in servers/slapd/acl.c.
>
>Depending on whether or not I understand the acl_mask code correctly, there
>may be a bug/typo in the peername ACL code.
>
>specifically in 2.0.18/servers/slapd/acl.c
>(some whitespace removed/line numbers added)
>
>522 if ( b->a_peername_pat != NULL ) {
>523         Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
>524                 b->a_peername_pat, 0, 0 );
>525 
>526         if ( strcmp( b->a_peername_pat, "*" ) != 0) {
>527                 if ( b->a_peername_style == ACL_STYLE_REGEX) {
>528                         if (!regex_matches( b->a_peername_pat, conn->c_peer_name,
>529                                         e->e_ndn, matches ) ) 
>530                         {
>531                                 continue;
>532                         }
>533                 } else {
>534                         if ( strcasecmp( b->a_peername_pat, conn->c_peer_name ) == 0 )
>535                                 continue;
>536                 }
>537         }
>538 }
>
>I believe that the "continue" control statement is called on ACL match
>**failure**, but the strcasecmp comparison (corresponding to a peername.exact)
>on line 534 goes to "continue" when there **is** a match (strcasecmp==0)
>between the <who> clause and the peername. This same form occurs in a few
>other places as well (line 498,516,552).
>
>Either this is a typo/bug or I'm not interpreting this code properly. In any
>case, it appears to do the wrong thing as I always get an apparent peername match on
>the first peername when its a non-match. 
>
>I'm just asking if this is intentional logic or a typo?
>
>As a final note, I find it rather unexpected that conn->c_peer_name appears be
>of the form "IP=xxx.xxx.xxx.xxx:yyy" rather than just "xxx.xxx.xxx.xxx".
>Ideally this would be documented in the OpenLDAP administrators guide either
>as an example or as an explicit requirement.
>
>I'm ignoring the ACL_REGEX forms because my regex engine seems to be a bit
>slow (FreeBSD), which is why I've noticed these effects.
>
>Thanks
>Mark Blackman
>Senior Systems Administrator            Tel: +44 (0)870 887 8896
>Netscalibur UK Limited                  Fax: +44 (0)870 887 8868