From 8091aedc76b3ee896bb4d68bc958b949aaa6d8c4 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sat, 3 Feb 2001 02:21:37 +0000 Subject: [PATCH] Add security checks to root DSE searches. Fix checking of require statements. --- servers/slapd/backend.c | 13 +++++++---- servers/slapd/proto-slap.h | 2 +- servers/slapd/search.c | 47 +++++++++++++++++++------------------- 3 files changed, 33 insertions(+), 29 deletions(-) diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index dd6f0f317c..a4547926d8 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -709,7 +709,7 @@ backend_check_restrictions( Backend *be, Connection *conn, Operation *op, - const char *extoid, + const void *opdata, const char **text ) { int rc; @@ -773,7 +773,9 @@ backend_check_restrictions( return LDAP_OTHER; } - if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) ) { + if ( op->o_tag != LDAP_REQ_EXTENDED + || strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) + { /* these checks don't apply to StartTLS */ if( op->o_tag == LDAP_REQ_EXTENDED ) { @@ -818,10 +820,11 @@ backend_check_restrictions( } } - if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) - || op->o_tag == LDAP_REQ_BIND ) + if ( op->o_tag != LDAP_REQ_BIND && + ( op->o_tag != LDAP_REQ_EXTENDED || + strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) ) { - /* these checks don't apply to StartTLS or Bind */ + /* these checks don't apply to Bind or StartTLS */ if( requires & SLAP_REQUIRE_STRONG ) { /* should check mechanism */ diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 63e509143d..fb731da079 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -167,7 +167,7 @@ LDAP_SLAPD_F( int ) backend_check_restrictions LDAP_P(( BackendDB *be, Connection *conn, Operation *op, - const char *extoid, + const void *opdata, const char **text )); LDAP_SLAPD_F( int ) backend_check_referrals LDAP_P(( diff --git a/servers/slapd/search.c b/servers/slapd/search.c index 88369428b4..0112a4515d 100644 --- a/servers/slapd/search.c +++ b/servers/slapd/search.c @@ -197,6 +197,28 @@ do_search( "conn=%ld op=%d SRCH base=\"%s\" scope=%d filter=\"%s\"\n", op->o_connid, op->o_opid, base, scope, fstr ); + manageDSAit = get_manageDSAit( op ); + + if( scope != LDAP_SCOPE_BASE && nbase[0] == '\0' && + default_search_nbase != NULL ) + { + ch_free( base ); + ch_free( nbase ); + base = ch_strdup( default_search_base ); + nbase = ch_strdup( default_search_nbase ); + } + + /* Select backend */ + be = select_backend( nbase, manageDSAit ); + + /* check restrictions */ + rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; + if( rc != LDAP_SUCCESS ) { + send_ldap_result( conn, op, rc, + NULL, text, NULL, NULL ); + goto return_results; + } + if ( scope == LDAP_SCOPE_BASE ) { Entry *entry = NULL; @@ -244,35 +266,14 @@ do_search( } } - if( nbase[0] == '\0' && default_search_nbase != NULL ) { - ch_free( base ); - ch_free( nbase ); - base = ch_strdup( default_search_base ); - nbase = ch_strdup( default_search_nbase ); - } - - manageDSAit = get_manageDSAit( op ); - - /* - * We could be serving multiple database backends. Select the - * appropriate one, or send a referral to our "referral server" - * if we don't hold it. - */ - if ( (be = select_backend( nbase, manageDSAit )) == NULL ) { + if ( be == NULL ) { + /* no backend, return a referral (or noSuchObject) */ send_ldap_result( conn, op, rc = LDAP_REFERRAL, NULL, NULL, default_referral, NULL ); goto return_results; } - /* check restrictions */ - rc = backend_check_restrictions( be, conn, op, NULL, &text ) ; - if( rc != LDAP_SUCCESS ) { - send_ldap_result( conn, op, rc, - NULL, text, NULL, NULL ); - goto return_results; - } - /* check for referrals */ rc = backend_check_referrals( be, conn, op, base, nbase ); if ( rc != LDAP_SUCCESS ) { -- 2.39.5