Backout the input exhaustion change, it loops. Still looking for

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 85cdda55152c974db148e163e54c83f021c4ad56..5d1eedb4401e8e8b06d8edf397190b25fd6dbc8d 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -38,7 +38,7 @@ access_allowed(
 )
 {
        int                             rc;
-       struct acl              *a;
+       AccessControl   *a;
        char            *edn;
 
        regmatch_t       matches[MAXREMATCHES];
@@ -55,7 +55,7 @@ access_allowed(
                e->e_dn, attr, 0 );
 
        /* the lastmod attributes are ignored by ACL checking */
-       if ( oc_check_operational( attr ) ) {
+       if ( oc_check_no_usermod_attr( attr ) ) {
                Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
                        attr, 0, 0 );
                return(1);
@@ -93,7 +93,7 @@ access_allowed(
  * acl_access_allowed().
  */
 
-struct acl *
+AccessControl *
 acl_get_applicable(
     Backend            *be,
     Operation          *op,
@@ -104,7 +104,7 @@ acl_get_applicable(
 )
 {
        int             i;
-       struct acl      *a;
+       AccessControl   *a;
     char               *edn;
 
        Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
@@ -200,7 +200,7 @@ acl_get_applicable(
 
 int
 acl_access_allowed(
-    struct acl         *a,
+    AccessControl      *a,
     Backend            *be,
     Connection         *conn,
     Entry              *e,
@@ -212,8 +212,7 @@ acl_access_allowed(
 )
 {
        int             i;
-       char            *odn;
-       struct access   *b;
+       Access  *b;
        Attribute       *at;
        struct berval   bv;
        int             default_access;
@@ -244,11 +243,9 @@ acl_access_allowed(
                return( default_access >= access );
        }
 
-       odn = op->o_ndn;
-
-       if ( odn != NULL ) {
-               bv.bv_val = odn;
-               bv.bv_len = strlen( odn );
+       if ( op->o_ndn != NULL ) {
+               bv.bv_val = op->o_ndn;
+               bv.bv_len = strlen( bv.bv_val );
        }
 
        for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
@@ -260,7 +257,17 @@ acl_access_allowed(
                         * user is bound as somebody in the same namespace as
                         * the entry, OR the given dn matches the dn pattern
                         */
-                       if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
+                       if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 && 
+                               (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) ) 
+                       {
+                               Debug( LDAP_DEBUG_ACL,
+                               "<= acl_access_allowed: matched by clause #%d access %s\n",
+                                   i, ACL_GRANT(b->a_access, access)
+                                               ? "granted" : "denied", 0 );
+
+                               return ACL_GRANT(b->a_access, access );
+
+                       } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
                                op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) 
                        {
                                if ( strcmp( edn, op->o_ndn ) == 0 ) {
@@ -272,7 +279,7 @@ acl_access_allowed(
                                        return ACL_GRANT(b->a_access, access );
                                }
                        } else {
-                               if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
+                               if ( regex_matches( b->a_dnpat, op->o_ndn, edn, matches ) ) {
                                        Debug( LDAP_DEBUG_ACL,
                                    "<= acl_access_allowed: matched by clause #%d access %s\n",
                                    i, ACL_GRANT(b->a_access, access)
@@ -343,7 +350,7 @@ acl_access_allowed(
 
                        return ACL_GRANT(b->a_access, access );
                }
-#ifdef SLAPD_ACLGROUPS
+
                if ( b->a_group != NULL && op->o_ndn != NULL ) {
                        char buf[1024];
 
@@ -355,7 +362,7 @@ acl_access_allowed(
                        string_expand(buf, sizeof(buf), b->a_group, edn, matches);
                        (void) dn_normalize_case(buf);
 
-                       if (backend_group(be, e, buf, odn,
+                       if (backend_group(be, e, buf, op->o_ndn,
                                b->a_group_oc, b->a_group_at) == 0)
                        {
                                Debug( LDAP_DEBUG_ACL,
@@ -364,7 +371,6 @@ acl_access_allowed(
                                return ACL_GRANT(b->a_access, access );
                        }
                }
-#endif /* SLAPD_ACLGROUPS */
        }
 
        Debug( LDAP_DEBUG_ACL,
@@ -392,14 +398,14 @@ acl_check_modlist(
 )
 {
        int             i;
-       struct acl      *a;
+       AccessControl   *a;
        char    *edn = e->e_ndn;
 
        for ( ; mlist != NULL; mlist = mlist->ml_next ) {
                regmatch_t       matches[MAXREMATCHES];
 
                /* the lastmod attributes are ignored by ACL checking */
-               if ( oc_check_operational( mlist->ml_type ) ) {
+               if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
                        Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
                                mlist->ml_type, 0, 0 );
                        continue;
@@ -512,6 +518,8 @@ regex_matches(
        char newbuf[512];
        int     rc;
 
+       if(str == NULL) str = "";
+
        string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
        if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
                char error[512];