From: Pierangelo Masarati Date: Fri, 28 Nov 2008 22:50:18 +0000 (+0000) Subject: more about ITS#5804 X-Git-Tag: ACLCHECK_0~1042 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=74636cfb513dd84713a3d7b62387086dafc4e4cf;p=openldap more about ITS#5804 --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 55e84ae53b..96eca0f3f7 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -66,7 +66,8 @@ static slap_control_t slap_acl_mask( slap_access_t access ); static int regex_matches( - struct berval *pat, char *str, char *buf, + struct berval *pat, char *str, + struct berval *dn_matches, struct berval *val_matches, AclRegexMatches *matches); typedef struct AclSetCookie { @@ -843,7 +844,7 @@ acl_mask_dn( } if ( !regex_matches( &bdn->a_pat, opndn->bv_val, - e->e_ndn, tmp_matchesp ) ) + &e->e_nname, NULL, tmp_matchesp ) ) { return 1; } @@ -910,8 +911,8 @@ acl_mask_dn( } if ( acl_string_expand( &bv, &bdn->a_pat, - e->e_nname.bv_val, - val ? val->bv_val : NULL, tmp_matchesp ) ) + &e->e_nname, + val, tmp_matchesp ) ) { return 1; } @@ -1227,8 +1228,8 @@ slap_acl_mask( if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) { if ( b->a_sockurl_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1239,7 +1240,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockurl_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1266,8 +1267,8 @@ slap_acl_mask( b->a_domain_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) { if ( b->a_domain_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1283,7 +1284,7 @@ slap_acl_mask( bv.bv_len = sizeof(buf) - 1; bv.bv_val = buf; - if ( acl_string_expand(&bv, &b->a_domain_pat, e->e_ndn, val->bv_val, matches) ) + if ( acl_string_expand(&bv, &b->a_domain_pat, &e->e_nname, val, matches) ) { continue; } @@ -1320,8 +1321,8 @@ slap_acl_mask( b->a_peername_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) { if ( b->a_peername_style == ACL_STYLE_REGEX ) { - if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1339,7 +1340,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_peername_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_peername_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1472,8 +1473,8 @@ slap_acl_mask( b->a_sockname_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) { if ( b->a_sockname_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1484,7 +1485,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_sockname_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockname_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1597,7 +1598,7 @@ slap_acl_mask( } if ( acl_string_expand( &bv, &b->a_group_pat, - e->e_nname.bv_val, val->bv_val, + &e->e_nname, val, tmp_matchesp ) ) { continue; @@ -1685,7 +1686,7 @@ slap_acl_mask( } if ( acl_string_expand( &bv, &b->a_set_pat, - e->e_nname.bv_val, val->bv_val, + &e->e_nname, val, tmp_matchesp ) ) { continue; @@ -2508,8 +2509,8 @@ int acl_string_expand( struct berval *bv, struct berval *pat, - char *dn_match, - char *val_match, + struct berval *dn_matches, + struct berval *val_matches, AclRegexMatches *matches) { ber_len_t size; @@ -2571,13 +2572,15 @@ acl_string_expand( case DN_FLAG: nm = matches->dn_count; m = matches->dn_data; - data = dn_match; + data = dn_matches ? dn_matches->bv_val : NULL; break; case VAL_FLAG: nm = matches->val_count; m = matches->val_data; - data = val_match; + data = val_matches ? val_matches->bv_val : NULL; break; + default: + assert( 0 ); } if ( n >= nm ) { /* FIXME: error */ @@ -2629,7 +2632,8 @@ static int regex_matches( struct berval *pat, /* pattern to expand and match against */ char *str, /* string to match against pattern */ - char *buf, /* buffer with $N expansion variables */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ ) { @@ -2645,7 +2649,7 @@ regex_matches( str = ""; }; - acl_string_expand( &bv, pat, buf, NULL, matches ); + acl_string_expand( &bv, pat, dn_matches, val_matches, matches ); rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE ); if ( rc ) { char error[ACL_BUF_SIZE]; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 86ecb4e9ea..5d07c4c259 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -93,7 +93,7 @@ LDAP_SLAPD_F (int) acl_match_set LDAP_P(( struct berval *default_set_attribute )); LDAP_SLAPD_F (int) acl_string_expand LDAP_P(( struct berval *newbuf, struct berval *pattern, - char *dnmatch, char *valmatch, AclRegexMatches *matches )); + struct berval *dnmatch, struct berval *valmatch, AclRegexMatches *matches )); /* * aclparse.c