Re: OpenLDAP 2.4.7 Bug?

[Howard Chu <hyc@symas.com>]

Kurt Zeilenga wrote:
> On Dec 27, 2007, at 10:26 AM, Philip Guenther wrote:
> > On Thu, 27 Dec 2007, Dieter Kluenter wrote:
> > > There should be only one asterisk and no space after a asterisk. See
> > > rfc 4515, String representation on search filters.
> > Umm, no.  That filter matches the grammar in RFC 4515.
>
> Note that there is no way one can represent an empty initial or empty
> final substrings.  That's because empty substrings are nonsense.  The
> filter (cn=**) is invalid as it represents an empty initial, an empty
> any, and an empty final.  slapd(8) correctly errors on receipt of any
> empty substring.
>
> One can argue that the LDAP ASN.1 and the LDAP filter ABNF should have
> size constraints on substring values.  I consider it a minor bug in
> specification which should be fixed.
>
> IMO, the bug is in ldapsearch(1).  It should reject a filter with
> empty substrings.

Hmm.
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/filter.c,v
----------------------------
revision 1.5
date: 2002/01/02 22:03:37;  author: kurt;  state: Exp;  lines: +2 -2
fix empty substrings any bug
----------------------------
diff -u -r1.4 -r1.5
--- filter.c    2 Jan 2002 19:31:21 -0000       1.4
+++ filter.c    2 Jan 2002 22:03:37 -0000       1.5
@@ -675,7 +675,7 @@

                *nextstar++ = '\0';

-               if ( *val != '\0' ) {
+               if ( *val != '\0' || ftype == LDAP_SUBSTRING_ANY ) {
                        ber_slen_t len = ldap_pvt_filter_value_unescape( val );

                        if ( len < 0  ) {

So at some point, this was intended to be legal.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/