ignore attrs in search request that do not conform to RFC 4511 4.5.1.8. or standard...

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index a5469cfd822005aeeddce8539a1c18513b9f8d85..6c4bc4929d3a587fc66d33b6720da29170f21c0c 100644 (file)
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -76,7 +76,7 @@ static int msad_range_hack = 0;
 
 static Attr_option *ad_find_option_definition( const char *opt, int optlen );
 
-static int ad_keystring(
+int ad_keystring(
        struct berval *bv )
 {
        ber_len_t i;

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index e9f9577aa9e8058b9e8e014202c045f9d50f7ec5..53f3c0466bad203ac387dae0908ed26a046a9dfb 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -129,6 +129,7 @@ LDAP_SLAPD_F (int) slap_bv2ad LDAP_P((
        const char **text ));
 
 LDAP_SLAPD_F (void) ad_destroy LDAP_P(( AttributeDescription * ));
+LDAP_SLAPD_F (int) ad_keystring LDAP_P(( struct berval *bv ));
 
 #define ad_cmp(l,r)    (((l)->ad_cname.bv_len < (r)->ad_cname.bv_len) \
        ? -1 : (((l)->ad_cname.bv_len > (r)->ad_cname.bv_len) \

diff --git a/servers/slapd/search.c b/servers/slapd/search.c
index 77209117a4eff7c41b2b860f86a91e3c610b2766..0e15409a1e6b031b245585af25618c5c3b7f6963 100644 (file)
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@@ -156,10 +156,40 @@ do_search(
                if ( slap_bv2ad( &op->ors_attrs[i].an_name,
                        &op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS )
                {
-                       slap_bv2undef_ad( &op->ors_attrs[i].an_name,
+                       if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name,
                                &op->ors_attrs[i].an_desc, &dummy,
-                               SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
-               };
+                               SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) )
+                       {
+                               struct berval *bv = &op->ors_attrs[i].an_name;
+
+                               /* RFC 4511 LDAPv3: All User Attributes */
+                               if ( bvmatch( bv, slap_bv_all_user_attrs ) ) {
+                                       continue;
+                               }
+
+                               /* RFC 3673 LDAPv3: All Operational Attributes */
+                               if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) {
+                                       continue;
+                               }
+
+                               /* RFC 4529 LDAP: Requesting Attributes by Object Class */
+                               if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) {
+                                       /* FIXME: check if remaining is valid oc name? */
+                                       continue;
+                               }
+
+                               /* add more "exceptions" to RFC 4511 4.5.1.8. */
+
+                               /* invalid attribute description? remove */
+                               if ( ad_keystring( bv ) ) {
+                                       /* NOTE: parsed in-place, don't modify;
+                                        * rather add "1.1", which must be ignored */
+                                       BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS );
+                               }
+
+                               /* otherwise leave in place... */
+                       }
+               }
        }
 
        if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {