[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: bug: openldapaci (slapd crashes if a dn contains '#')
Note that to be considered for inclusion in OpenLDAP
SOftware, patches MUST be submitted using the Issue
Tracking System as discussed in the contributing
guidelines <http://www.openldap.org/devel/contributing.html>.
Regards, Kurt
At 07:03 PM 8/12/2004, Harald Jung wrote:
>Hello,
>
>problem :
>if an user cn (aka access-id) contains a '#' and this user got access by an
>openldapaci definition, then slapd crashes after ' <<< dnNormalize:',
>
>fix:
>the whole dn after the last '#' in an openldapaci will be used now
>
>------snipp-------
>--- acl.c.orig Thu Aug 12 07:47:00 2004
>+++ acl.c Thu Aug 12 07:52:48 2004
>@@ -1701,6 +1701,7 @@
> struct berval *list,
> int ix,
> char sep,
>+ int getall,
> struct berval *bv )
> {
> int len;
>@@ -1725,10 +1726,16 @@
> return(0);
>
> bv->bv_val = p;
>- while (--len >= 0 && *p != sep) {
>- bv->bv_len++;
>- p++;
>- }
>+ if (getall) {
>+ bv->bv_len = len ;
>+ p += len ;
>+ }
>+ else {
>+ while (--len >= 0 && *p != sep) {
>+ bv->bv_len++;
>+ p++;
>+ }
>+ }
> while (bv->bv_len > 0 && *--p == ' ')
> bv->bv_len--;
> return(bv->bv_len);
>@@ -1784,11 +1791,11 @@
> AttributeDescription *desc = NULL;
>
> /* format of string is "entry/setAttrName" */
>- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
>+ if (aci_get_part(subj, 0, '/', 0, &subjdn) < 0) {
> return(0);
> }
>
>- if ( aci_get_part(subj, 1, '/', &setat) < 0 ) {
>+ if ( aci_get_part(subj, 1, '/', 1, &setat) < 0 ) {
> setat = aci_bv_set_attr;
> }
>
>@@ -1835,7 +1842,7 @@
> int i;
>
> ACL_INIT(mask);
>- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
>+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
> if (bv.bv_len <= 0)
> continue;
> switch (*bv.bv_val) {
>@@ -1880,9 +1887,9 @@
> struct berval bv, left, right;
> int i;
>
>- for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
>- if (aci_get_part(&bv, 0, '=', &left) < 0
>- || aci_get_part(&bv, 1, '=', &right) < 0)
>+ for (i = 0; aci_get_part(list, i, ',',0, &bv) >= 0; i++) {
>+ if (aci_get_part(&bv, 0, '=',0, &left) < 0
>+ || aci_get_part(&bv, 1, '=',1, &right) < 0)
> {
> if (ber_bvstrcasecmp(attr, &bv) == 0)
> return(1);
>@@ -1905,7 +1912,7 @@
> *
> * Ideally, this would allow r.e. matches.
> */
>- if (aci_get_part(&right, 0, '*', &left) < 0
>+ if (aci_get_part(&right, 0, '*',0, &left) < 0
> || right.bv_len <= left.bv_len)
> {
> if (ber_bvstrcasecmp(val, &right) ==
>0)
>@@ -1932,10 +1939,10 @@
>
> /* loop through each rights/attr pair, skip first part (action) */
> ACL_INIT(mask);
>- for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
>+ for (i = 1; aci_get_part(list, i + 1, ';',0, &bv) >= 0; i += 2) {
> if (aci_list_has_attr(&bv, attr, val) == 0)
> continue;
>- if (aci_get_part(list, i, ';', &bv) < 0)
>+ if (aci_get_part(list, i, ';',0, &bv) < 0)
> continue;
> mask |= aci_list_map_rights(&bv);
> }
>@@ -1963,8 +1970,8 @@
> ACL_INIT(*grant);
> ACL_INIT(*deny);
> /* loop through each permissions clause */
>- for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
>- if (aci_get_part(&perm, 0, ';', &actn) < 0)
>+ for (i = 0; aci_get_part(list, i, '$', 0,&perm) >= 0; i++) {
>+ if (aci_get_part(&perm, 0, ';', 0,&actn) < 0)
> continue;
> if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
> mask = grant;
>@@ -2000,15 +2007,15 @@
> int rc;
>
> /* format of string is "group/objectClassValue/groupAttrName" */
>- if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
>+ if (aci_get_part(subj, 0, '/',0, &subjdn) < 0) {
> return(0);
> }
>
>- if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
>+ if (aci_get_part(subj, 1, '/', 0,&grpoc) < 0) {
> grpoc = *defgrpoc;
> }
>
>- if (aci_get_part(subj, 2, '/', &grpat) < 0) {
>+ if (aci_get_part(subj, 2, '/', 0,&grpat) < 0) {
> grpat = *defgrpat;
> }
>
>@@ -2068,22 +2075,22 @@
> For now, this routine only supports scope=entry.
> */
> /* check that the aci has all 5 components */
>- if (aci_get_part(aci, 4, '#', NULL) < 0)
>+ if (aci_get_part(aci, 4, '#',1, NULL) < 0)
> return(0);
>
> /* check that the aci family is supported */
>- if (aci_get_part(aci, 0, '#', &bv) < 0)
>+ if (aci_get_part(aci, 0, '#', 0, &bv) < 0)
> return(0);
>
> /* check that the scope matches */
>- if (aci_get_part(aci, 1, '#', &bv) < 0
>+ if (aci_get_part(aci, 1, '#', 0, &bv) < 0
> || ber_bvstrcasecmp( scope, &bv ) != 0)
> {
> return(0);
> }
>
> /* get the list of permissions clauses, bail if empty */
>- if (aci_get_part(aci, 2, '#', &perms) <= 0)
>+ if (aci_get_part(aci, 2, '#', 0, &perms) <= 0)
> return(0);
>
> /* check if any permissions allow desired access */
>@@ -2091,10 +2098,10 @@
> return(0);
>
> /* see if we have a DN match */
>- if (aci_get_part(aci, 3, '#', &bv) < 0)
>+ if (aci_get_part(aci, 3, '#', 0, &bv) < 0)
> return(0);
>
>- if (aci_get_part(aci, 4, '#', &sdn) < 0)
>+ if (aci_get_part(aci, 4, '#', 1, &sdn) < 0)
> return(0);
>
> if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
>
>------snipp-------
>
>best regards
>Harald Jung