From d23243a507c38955151e1e0562d37d9051651112 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 6 May 2005 16:42:03 +0000
Subject: [PATCH] more on strict config parsing (ITS#3705)

---
 servers/slapd/aclparse.c         | 41 +++++++++++++++++++--
 servers/slapd/back-bdb/attr.c    |  2 +-
 servers/slapd/back-ldbm/attr.c   |  2 +-
 servers/slapd/back-ldbm/config.c |  5 ++-
 servers/slapd/back-meta/config.c |  2 +-
 servers/slapd/bconfig.c          | 42 ++++++++++++++++++----
 servers/slapd/config.c           | 61 +++++++++++++-------------------
 servers/slapd/overlays/rwmconf.c |  2 +-
 servers/slapd/repl.c             |  2 +-
 servers/slapd/slap.h             |  9 +++++
 10 files changed, 115 insertions(+), 53 deletions(-)

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 44fed13fcc..c9ec267727 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -696,8 +696,12 @@ parse_acl(
 					case ACL_STYLE_REGEX:
 						fprintf( stderr, "%s: line %d: "
 							"\"regex\" style implies "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier" 
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 
 					case ACL_STYLE_EXPAND:
@@ -706,8 +710,12 @@ parse_acl(
 						fprintf( stderr, "%s: line %d: "
 							"\"expand\" style used "
 							"in conjunction with "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier"
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 #endif
 						break;
 
@@ -853,7 +861,34 @@ parse_acl(
 						bdn->a_pat = bv;
 					}
 					bdn->a_style = sty;
-					bdn->a_expand = expand;
+					if ( expand ) {
+						char	*exp;
+						int	gotit = 0;
+
+						for ( exp = strchr( bdn->a_pat.bv_val, '$' );
+								exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
+								exp = strchr( exp, '$' ) )
+						{
+							if ( isdigit( exp[ 1 ] ) ) {
+								gotit = 1;
+								break;
+							}
+						}
+
+						if ( gotit == 1 ) {
+							bdn->a_expand = expand;
+
+						} else {
+							fprintf( stderr,
+								"%s: line %d: \"expand\" used "
+								"with no expansions in \"pattern\""
+								SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+								fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+							acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+						} 
+					}
 					if ( sty == ACL_STYLE_SELF ) {
 						bdn->a_self_level = level;
 
diff --git a/servers/slapd/back-bdb/attr.c b/servers/slapd/back-bdb/attr.c
index 562048413b..ecabe033c7 100644
--- a/servers/slapd/back-bdb/attr.c
+++ b/servers/slapd/back-bdb/attr.c
@@ -258,7 +258,7 @@ bdb_attr_index_config(
 				continue;
 			}
 			fprintf( stderr, "%s: line %d: duplicate index definition "
-				"for attr \"%s\" (ignored)\n",
+				"for attr \"%s\"" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 				fname, lineno, attrs[i] );
 
 			return LDAP_PARAM_ERROR;
diff --git a/servers/slapd/back-ldbm/attr.c b/servers/slapd/back-ldbm/attr.c
index b37b4aca4a..6abf4156fb 100644
--- a/servers/slapd/back-ldbm/attr.c
+++ b/servers/slapd/back-ldbm/attr.c
@@ -201,7 +201,7 @@ attr_index_config(
 
 		if( rc ) {
 			fprintf( stderr, "%s: line %d: duplicate index definition "
-				"for attr \"%s\" (ignored)\n",
+				"for attr \"%s\"" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			    fname, lineno, attrs[i] );
 
 			return LDAP_PARAM_ERROR;
diff --git a/servers/slapd/back-ldbm/config.c b/servers/slapd/back-ldbm/config.c
index e64ae11a35..2a0a5759ee 100644
--- a/servers/slapd/back-ldbm/config.c
+++ b/servers/slapd/back-ldbm/config.c
@@ -73,8 +73,11 @@ ldbm_back_db_config(
 			return( 1 );
 		} else if ( argc > 3 ) {
 			fprintf( stderr,
-"%s: line %d: extra junk after \"index <attr> [pres,eq,approx,sub]\" line (ignored)\n",
+"%s: line %d: extra junk after \"index <attr> [pres,eq,approx,sub]\" line" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			    fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			return( 1 );
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 		rc = attr_index_config( li, fname, lineno, argc - 1, &argv[1] );
 
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 64f5180b15..8457cf8510 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -791,7 +791,7 @@ ldap_back_map_config(
 			|| avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
 	{
 		fprintf( stderr,
-			"%s: line %d: duplicate mapping found (ignored)\n",
+			"%s: line %d: duplicate mapping found" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			fname, lineno );
 		goto error_return;
 	}
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 089e0cdac3..40b339c344 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -1242,7 +1242,11 @@ config_generic(ConfigArgs *c) {
 
 		default:
 			Debug(LDAP_DEBUG_ANY, "%s: unknown CFG_TYPE %d"
-				"(ignored)\n", c->log, c->type, 0);
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+				c->log, c->type, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 
 	}
 	return(0);
@@ -1428,8 +1432,12 @@ config_sizelimit(ConfigArgs *c) {
 					return(1);
 				} else if(next[0] != '\0') {
 					Debug(LDAP_DEBUG_ANY, "%s: "
-						"trailing chars \"%s\" in \"sizelimit <limit>\" line (ignored)\n",
+						"trailing chars \"%s\" in \"sizelimit <limit>\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, next, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+					return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 				}
 			}
 			lim->lms_s_hard = 0;
@@ -1481,8 +1489,12 @@ config_timelimit(ConfigArgs *c) {
 					return(1);
 				} else if(next[0] != '\0') {
 					Debug(LDAP_DEBUG_ANY, "%s: "
-						"trailing chars \"%s\" in \"timelimit <limit>\" line (ignored)\n",
+						"trailing chars \"%s\" in \"timelimit <limit>\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, next, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+					return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 				}
 			}
 			lim->lms_t_hard = 0;
@@ -1500,8 +1512,12 @@ config_overlay(ConfigArgs *c) {
 	}
 	if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1])) {
 		/* log error */
-		Debug(LDAP_DEBUG_ANY, "%s: (optional) %s overlay \"%s\" configuration failed (ignored)\n",
+		Debug(LDAP_DEBUG_ANY, "%s: (optional) %s overlay \"%s\" configuration failed"
+			SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			c->log, c->be == frontendDB ? "global " : "", c->argv[1][1]);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+		return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 	} else if(overlay_config(c->be, c->argv[1])) {
 		return(1);
 	}
@@ -1558,8 +1574,12 @@ config_suffix(ConfigArgs *c) {
 	ndn = c->value_ndn;
 	tbe = select_backend(&ndn, 0, 0);
 	if(tbe == c->be) {
-		Debug(LDAP_DEBUG_ANY, "%s: suffix already served by this backend! (ignored)\n",
+		Debug(LDAP_DEBUG_ANY, "%s: suffix already served by this backend!"
+			SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+		return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 		free(pdn.bv_val);
 		free(ndn.bv_val);
 	} else if(tbe) {
@@ -2095,13 +2115,21 @@ config_replica(ConfigArgs *c) {
 				switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) {
 					case 1:
 						Debug(LDAP_DEBUG_ANY, "%s: "
-						"suffix \"%s\" in \"replica\" line is not valid for backend (ignored)\n",
+						"suffix \"%s\" in \"replica\" line is not valid for backend"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, c->argv[i] + STRLENOF("suffix="), 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 					case 2:
 						Debug(LDAP_DEBUG_ANY, "%s: "
-						"unable to normalize suffix in \"replica\" line (ignored)\n",
+						"unable to normalize suffix in \"replica\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 				}
 
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 399014a6b7..143a806358 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -43,13 +43,6 @@
 
 #define ARGS_STEP	512
 
-/*
- * ITS#3705: bail out if unknown config directives appear in slapd.conf
- */
-#ifdef LDAP_DEVEL
-#define SLAPD_CONF_UNKNOWN_BAILOUT
-#endif /* LDAP_DEVEL */
-
 /*
  * defaults for various global variables
  */
@@ -576,8 +569,15 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 		}
 
 		if ( c->argc < 1 ) {
-			Debug(LDAP_DEBUG_CONFIG, "%s: bad config line (ignored)\n", c->log, 0, 0);
+			Debug(LDAP_DEBUG_CONFIG, "%s: bad config line" 
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+				c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			rc = 1;
+			goto leave;
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 			continue;
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 
 		c->op = SLAP_CONFIG_ADD;
@@ -614,16 +614,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 					Debug(LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend info definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-					Debug(LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend info definition (ignored)\n",
+						"unknown directive <%s> inside backend info definition"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* !SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -645,18 +642,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 					Debug( LDAP_DEBUG_CONFIG, "%s: "
 						"unknown directive <%s> inside backend database "
-						"definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend database "
-						"definition (ignored)\n",
+						"definition" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* !SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -668,16 +660,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
-					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside global database definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
 					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside global database definition (ignored)\n",
+						"unknown directive <%s> inside global database definition"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -685,18 +674,16 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			}
 			
 		} else {
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 			Debug(LDAP_DEBUG_CONFIG, "%s: "
-				"unknown directive <%s> outside backend info and database definitions\n",
+				"unknown directive <%s> outside backend info and database definitions"
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 				c->log, *c->argv, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 			rc = 1;
 			goto leave;
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-			Debug(LDAP_DEBUG_CONFIG, "%s: "
-				"unknown directive <%s> outside backend info and database definitions (ignored)\n",
-				c->log, *c->argv, 0);
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 			continue;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 	}
 
diff --git a/servers/slapd/overlays/rwmconf.c b/servers/slapd/overlays/rwmconf.c
index ed3121fede..32212d6c6d 100644
--- a/servers/slapd/overlays/rwmconf.c
+++ b/servers/slapd/overlays/rwmconf.c
@@ -217,7 +217,7 @@ rwm_map_config(
 			|| avl_find( map->remap, (caddr_t)&mapping[1], rwm_mapping_cmp ) != NULL)
 	{
 		fprintf( stderr,
-			"%s: line %d: duplicate mapping found (ignored)\n",
+			"%s: line %d: duplicate mapping found" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			fname, lineno );
 		/* FIXME: free stuff */
 		goto error_return;
diff --git a/servers/slapd/repl.c b/servers/slapd/repl.c
index 529416023c..255607117e 100644
--- a/servers/slapd/repl.c
+++ b/servers/slapd/repl.c
@@ -135,7 +135,7 @@ replog( Operation *op )
 	int     count = 0;
 #endif
 	int	subsets = 0;
-	long now = slap_get_time();
+	long	now = slap_get_time();
 	char	*replogfile;
 
 	replogfile = op->o_bd->be_replogfile ? op->o_bd->be_replogfile :
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 9c1877a101..9031c86c46 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -69,12 +69,21 @@ LDAP_BEGIN_DECL
 #define LDAP_SYNC_TIMESTAMP
 #define LDAP_COLLECTIVE_ATTRIBUTES
 #define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#define SLAPD_CONF_UNKNOWN_BAILOUT
 
 #ifdef ENABLE_REWRITE
 #define SLAP_AUTH_REWRITE	1 /* use librewrite for sasl-regexp */
 #endif
 #endif
 
+/*
+ * ITS#3705: bail out if unknown config directives appear in slapd.conf
+ */
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+#define	SLAPD_CONF_UNKNOWN_IGNORED	""
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
+#define	SLAPD_CONF_UNKNOWN_IGNORED	" (ignored)"
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 
 /*
  * SLAPD Memory allocation macros
-- 
2.39.5