[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
bug: openldapaci (slapd crashes if a dn contains '#')
- To: openldap-devel@OpenLDAP.org
- Subject: bug: openldapaci (slapd crashes if a dn contains '#')
- From: Harald Jung <jung@ecos.de>
- Date: Thu, 12 Aug 2004 13:01:30 +0200
- Organization: ecos
- User-agent: KMail/1.5.4
Hello,
problem :
if an user cn (aka access-id) contains a '#' and this user got access by an
openldapaci definition, then slapd crashes after ' <<< dnNormalize:',
fix:
the whole dn after the last '#' in an openldapaci will be used now
------snipp-------
--- acl.c.orig Thu Aug 12 07:47:00 2004
+++ acl.c Thu Aug 12 07:52:48 2004
@@ -1701,6 +1701,7 @@
struct berval *list,
int ix,
char sep,
+ int getall,
struct berval *bv )
{
int len;
@@ -1725,10 +1726,16 @@
return(0);
bv->bv_val = p;
- while (--len >= 0 && *p != sep) {
- bv->bv_len++;
- p++;
- }
+ if (getall) {
+ bv->bv_len = len ;
+ p += len ;
+ }
+ else {
+ while (--len >= 0 && *p != sep) {
+ bv->bv_len++;
+ p++;
+ }
+ }
while (bv->bv_len > 0 && *--p == ' ')
bv->bv_len--;
return(bv->bv_len);
@@ -1784,11 +1791,11 @@
AttributeDescription *desc = NULL;
/* format of string is "entry/setAttrName" */
- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+ if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
return(0);
}
- if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
+ if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
setat = aci_bv_set_attr;
}
@@ -1835,7 +1842,7 @@
int i;
ACL_INIT(mask);
- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
if (bv.bv_len <= 0)
continue;
switch (*bv.bv_val) {
@@ -1880,9 +1887,9 @@
struct berval bv, left, right;
int i;
- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
- if (aci_get_part(&bv, 0, '=', &left) < 0
- || aci_get_part(&bv, 1, '=', &right) < 0)
+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
+ if (aci_get_part(&bv, 0, '=',0, &left) < 0
+ || aci_get_part(&bv, 1, '=',1, &right) < 0)
{
if (ber_bvstrcasecmp(attr, &bv) == 0)
return(1);
@@ -1905,7 +1912,7 @@
*
* Ideally, this would allow r.e. matches.
*/
- if (aci_get_part(&right, 0, '*', &left) < 0
+ if (aci_get_part(&right, 0, '*',0, &left) < 0
|| right.bv_len <= left.bv_len)
{
if (ber_bvstrcasecmp(val, &right) == 0)
@@ -1932,10 +1939,10 @@
/* loop through each rights/attr pair, skip first part (action) */
ACL_INIT(mask);
- for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
+ for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
if (aci_list_has_attr(&bv, attr, val) == 0)
continue;
- if (aci_get_part(list, i, ';', &bv) < 0)
+ if (aci_get_part(list, i, ';',0, &bv) < 0)
continue;
mask |= aci_list_map_rights(&bv);
}
@@ -1963,8 +1970,8 @@
ACL_INIT(*grant);
ACL_INIT(*deny);
/* loop through each permissions clause */
- for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
- if (aci_get_part(&perm, 0, ';', &actn) < 0)
+ for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
+ if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
continue;
if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
mask = grant;
@@ -2000,15 +2007,15 @@
int rc;
/* format of string is "group/objectClassValue/groupAttrName" */
- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+ if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
return(0);
}
- if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
+ if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
grpoc = *defgrpoc;
}
- if (aci_get_part(subj, 2, '/', &grpat) < 0) {
+ if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
grpat = *defgrpat;
}
@@ -2068,22 +2075,22 @@
For now, this routine only supports scope=entry.
*/
/* check that the aci has all 5 components */
- if (aci_get_part(aci, 4, '#', NULL) < 0)
+ if (aci_get_part(aci, 4, '#',1, NULL) < 0)
return(0);
/* check that the aci family is supported */
- if (aci_get_part(aci, 0, '#', &bv) < 0)
+ if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
return(0);
/* check that the scope matches */
- if (aci_get_part(aci, 1, '#', &bv) < 0
+ if (aci_get_part(aci, 1, '#', 0, &bv) < 0
|| ber_bvstrcasecmp( scope, &bv ) != 0)
{
return(0);
}
/* get the list of permissions clauses, bail if empty */
- if (aci_get_part(aci, 2, '#', &perms) <= 0)
+ if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
return(0);
/* check if any permissions allow desired access */
@@ -2091,10 +2098,10 @@
return(0);
/* see if we have a DN match */
- if (aci_get_part(aci, 3, '#', &bv) < 0)
+ if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
return(0);
- if (aci_get_part(aci, 4, '#', &sdn) < 0)
+ if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
return(0);
if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
------snipp-------
best regards
Harald Jung
--- acl.c.orig Thu Aug 12 07:47:00 2004
+++ acl.c Thu Aug 12 07:52:48 2004
@@ -1701,6 +1701,7 @@
struct berval *list,
int ix,
char sep,
+ int getall,
struct berval *bv )
{
int len;
@@ -1725,10 +1726,16 @@
return(0);
bv->bv_val = p;
- while (--len >= 0 && *p != sep) {
- bv->bv_len++;
- p++;
- }
+ if (getall) {
+ bv->bv_len = len ;
+ p += len ;
+ }
+ else {
+ while (--len >= 0 && *p != sep) {
+ bv->bv_len++;
+ p++;
+ }
+ }
while (bv->bv_len > 0 && *--p == ' ')
bv->bv_len--;
return(bv->bv_len);
@@ -1784,11 +1791,11 @@
AttributeDescription *desc = NULL;
/* format of string is "entry/setAttrName" */
- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+ if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
return(0);
}
- if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
+ if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
setat = aci_bv_set_attr;
}
@@ -1835,7 +1842,7 @@
int i;
ACL_INIT(mask);
- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
if (bv.bv_len <= 0)
continue;
switch (*bv.bv_val) {
@@ -1880,9 +1887,9 @@
struct berval bv, left, right;
int i;
- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
- if (aci_get_part(&bv, 0, '=', &left) < 0
- || aci_get_part(&bv, 1, '=', &right) < 0)
+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
+ if (aci_get_part(&bv, 0, '=',0, &left) < 0
+ || aci_get_part(&bv, 1, '=',1, &right) < 0)
{
if (ber_bvstrcasecmp(attr, &bv) == 0)
return(1);
@@ -1905,7 +1912,7 @@
*
* Ideally, this would allow r.e. matches.
*/
- if (aci_get_part(&right, 0, '*', &left) < 0
+ if (aci_get_part(&right, 0, '*',0, &left) < 0
|| right.bv_len <= left.bv_len)
{
if (ber_bvstrcasecmp(val, &right) == 0)
@@ -1932,10 +1939,10 @@
/* loop through each rights/attr pair, skip first part (action) */
ACL_INIT(mask);
- for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
+ for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
if (aci_list_has_attr(&bv, attr, val) == 0)
continue;
- if (aci_get_part(list, i, ';', &bv) < 0)
+ if (aci_get_part(list, i, ';',0, &bv) < 0)
continue;
mask |= aci_list_map_rights(&bv);
}
@@ -1963,8 +1970,8 @@
ACL_INIT(*grant);
ACL_INIT(*deny);
/* loop through each permissions clause */
- for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
- if (aci_get_part(&perm, 0, ';', &actn) < 0)
+ for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
+ if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
continue;
if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
mask = grant;
@@ -2000,15 +2007,15 @@
int rc;
/* format of string is "group/objectClassValue/groupAttrName" */
- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
+ if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
return(0);
}
- if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
+ if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
grpoc = *defgrpoc;
}
- if (aci_get_part(subj, 2, '/', &grpat) < 0) {
+ if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
grpat = *defgrpat;
}
@@ -2068,22 +2075,22 @@
For now, this routine only supports scope=entry.
*/
/* check that the aci has all 5 components */
- if (aci_get_part(aci, 4, '#', NULL) < 0)
+ if (aci_get_part(aci, 4, '#',1, NULL) < 0)
return(0);
/* check that the aci family is supported */
- if (aci_get_part(aci, 0, '#', &bv) < 0)
+ if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
return(0);
/* check that the scope matches */
- if (aci_get_part(aci, 1, '#', &bv) < 0
+ if (aci_get_part(aci, 1, '#', 0, &bv) < 0
|| ber_bvstrcasecmp( scope, &bv ) != 0)
{
return(0);
}
/* get the list of permissions clauses, bail if empty */
- if (aci_get_part(aci, 2, '#', &perms) <= 0)
+ if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
return(0);
/* check if any permissions allow desired access */
@@ -2091,10 +2098,10 @@
return(0);
/* see if we have a DN match */
- if (aci_get_part(aci, 3, '#', &bv) < 0)
+ if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
return(0);
- if (aci_get_part(aci, 4, '#', &sdn) < 0)
+ if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
return(0);
if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {