X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=80ffa377bff833f7edb82b533cde964a7cec5bd1;hb=7666bb7482e788e478fbb506fb25645ae06f86a9;hp=1c8a5bad379e7ed8dff112897c69985f08c88e75;hpb=709ce4fa6c0a8aea66c4b6e15bf42aa3352ad2e2;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 1c8a5bad37..80ffa377bf 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -17,19 +17,20 @@ #include "slap.h" #include "lber_pvt.h" +#include "lutil.h" static void split(char *line, int splitchar, char **left, char **right); static void access_append(Access **l, Access *a); static void acl_usage(void) LDAP_GCCATTR((noreturn)); -static void acl_regex_normalized_dn(struct berval *pattern); +static void acl_regex_normalized_dn(const char *src, struct berval *pat); #ifdef LDAP_DEBUG static void print_acl(Backend *be, AccessControl *a); static void print_access(Access *b); #endif -static int +static void regtest(const char *fname, int lineno, char *pat) { int e; regex_t re; @@ -79,10 +80,8 @@ regtest(const char *fname, int lineno, char *pat) { "%s: line %d: regular expression \"%s\" bad because of %s\n", fname, lineno, pat, error ); acl_usage(); - return(0); } regfree(&re); - return(1); } void @@ -120,7 +119,9 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - if( a->acl_dn_pat.bv_len != 0 ) { + if( a->acl_dn_pat.bv_len || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { fprintf( stderr, "%s: line %d: dn pattern" " already specified in to clause.\n", @@ -144,7 +145,9 @@ parse_acl( } if ( strcasecmp( left, "dn" ) == 0 ) { - if( a->acl_dn_pat.bv_len != 0 ) { + if( a->acl_dn_pat.bv_len != 0 || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { fprintf( stderr, "%s: line %d: dn pattern" " already specified in to clause.\n", @@ -166,7 +169,7 @@ parse_acl( || strcmp(right, ".*") == 0 || strcmp(right, ".*$") == 0 || strcmp(right, "^.*") == 0 - || strcmp(right, "^.*$$") == 0 + || strcmp(right, "^.*$") == 0 || strcmp(right, ".*$$") == 0 || strcmp(right, "^.*$$") == 0 ) { @@ -174,8 +177,7 @@ parse_acl( a->acl_dn_pat.bv_len = sizeof("*")-1; } else { - a->acl_dn_pat.bv_val = right; - acl_regex_normalized_dn( &a->acl_dn_pat ); + acl_regex_normalized_dn( right, &a->acl_dn_pat ); } } else if ( strcasecmp( style, "base" ) == 0 ) { a->acl_dn_style = ACL_STYLE_BASE; @@ -200,8 +202,7 @@ parse_acl( } if ( strcasecmp( left, "filter" ) == 0 ) { - if ( (a->acl_filter = str2filter( - right )) == NULL ) { + if ( (a->acl_filter = str2filter( right )) == NULL ) { fprintf( stderr, "%s: line %d: bad filter \"%s\" in to clause\n", fname, lineno, right ); @@ -226,17 +227,25 @@ parse_acl( } if ( a->acl_dn_pat.bv_len != 0 && - strcmp(a->acl_dn_pat.bv_val, "*") == 0) + strcmp(a->acl_dn_pat.bv_val, "*") == 0 ) { free( a->acl_dn_pat.bv_val ); a->acl_dn_pat.bv_val = NULL; a->acl_dn_pat.bv_len = 0; } - if( a->acl_dn_pat.bv_len != 0 ) { + if( a->acl_dn_pat.bv_len != 0 || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { if ( a->acl_dn_style != ACL_STYLE_REGEX ) { struct berval bv; - dnNormalize2( NULL, &a->acl_dn_pat, &bv); + rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, a->acl_dn_pat.bv_val ); + acl_usage(); + } free( a->acl_dn_pat.bv_val ); a->acl_dn_pat = bv; } else { @@ -373,8 +382,7 @@ parse_acl( 1, &bv); } else { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } @@ -402,7 +410,13 @@ parse_acl( } if ( sty != ACL_STYLE_REGEX && expand == 0 ) { - dnNormalize2(NULL, &bv, &b->a_dn_pat); + rc = dnNormalize2(NULL, &bv, &b->a_dn_pat); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, bv.bv_val ); + acl_usage(); + } free(bv.bv_val); } else { b->a_dn_pat = bv; @@ -490,15 +504,20 @@ parse_acl( b->a_group_style = sty; if (sty == ACL_STYLE_REGEX) { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } b->a_group_pat = bv; } else { ber_str2bv( right, 0, 0, &bv ); - dnNormalize2( NULL, &bv, &b->a_group_pat ); + rc = dnNormalize2( NULL, &bv, &b->a_group_pat ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, right ); + acl_usage(); + } } if (value && *value) { @@ -625,8 +644,7 @@ parse_acl( b->a_peername_style = sty; if (sty == ACL_STYLE_REGEX) { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } @@ -661,8 +679,7 @@ parse_acl( b->a_sockname_style = sty; if (sty == ACL_STYLE_REGEX) { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } @@ -704,8 +721,7 @@ parse_acl( b->a_domain_style = sty; b->a_domain_expand = expand; if (sty == ACL_STYLE_REGEX) { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } @@ -740,8 +756,7 @@ parse_acl( b->a_sockurl_style = sty; if (sty == ACL_STYLE_REGEX) { - bv.bv_val = right; - acl_regex_normalized_dn( &bv ); + acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { regtest(fname, lineno, bv.bv_val); } @@ -1092,24 +1107,24 @@ accessmask2str( slap_mask_t mask, char *buf ) if ( ACL_IS_LEVEL( mask ) ) { if ( ACL_LVL_IS_NONE(mask) ) { - ptr = slap_strcopy( ptr, "none" ); + ptr = lutil_strcopy( ptr, "none" ); } else if ( ACL_LVL_IS_AUTH(mask) ) { - ptr = slap_strcopy( ptr, "auth" ); + ptr = lutil_strcopy( ptr, "auth" ); } else if ( ACL_LVL_IS_COMPARE(mask) ) { - ptr = slap_strcopy( ptr, "compare" ); + ptr = lutil_strcopy( ptr, "compare" ); } else if ( ACL_LVL_IS_SEARCH(mask) ) { - ptr = slap_strcopy( ptr, "search" ); + ptr = lutil_strcopy( ptr, "search" ); } else if ( ACL_LVL_IS_READ(mask) ) { - ptr = slap_strcopy( ptr, "read" ); + ptr = lutil_strcopy( ptr, "read" ); } else if ( ACL_LVL_IS_WRITE(mask) ) { - ptr = slap_strcopy( ptr, "write" ); + ptr = lutil_strcopy( ptr, "write" ); } else { - ptr = slap_strcopy( ptr, "unknown" ); + ptr = lutil_strcopy( ptr, "unknown" ); } *ptr++ = '('; @@ -1270,25 +1285,26 @@ acl_usage( void ) } /* + * Set pattern to a "normalized" DN from src. * At present it simply eats the (optional) space after * a RDN separator (,) * Eventually will evolve in a more complete normalization - * - * Note that the input berval only needs bv_val, it ignores - * the input bv_len and sets it on return. */ static void acl_regex_normalized_dn( + const char *src, struct berval *pattern ) { char *str, *p; + ber_len_t len; - str = ch_strdup( pattern->bv_val ); + str = ch_strdup( src ); + len = strlen( src ); for ( p = str; p && p[ 0 ]; p++ ) { /* escape */ - if ( p[ 0 ] == '\\' ) { + if ( p[ 0 ] == '\\' && p[ 1 ] ) { /* * if escaping a hex pair we should * increment p twice; however, in that @@ -1309,7 +1325,7 @@ acl_regex_normalized_dn( for ( q = &p[ 2 ]; q[ 0 ] == ' '; q++ ) { /* DO NOTHING */ ; } - AC_MEMCPY( p+1, q, pattern->bv_len-(q-str)+1); + AC_MEMCPY( p+1, q, len-(q-str)+1); } } }