From e4fcc294fa5f138853f89bc34f8971060d3d153d Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 1 Feb 2011 23:13:58 +0000 Subject: [PATCH] ignore attrs in search request that do not conform to RFC 4511 4.5.1.8. or standard track extensions (ITS#6819) --- servers/slapd/ad.c | 2 +- servers/slapd/proto-slap.h | 1 + servers/slapd/search.c | 36 +++++++++++++++++++++++++++++++++--- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c index a5469cfd82..6c4bc4929d 100644 --- a/servers/slapd/ad.c +++ b/servers/slapd/ad.c @@ -76,7 +76,7 @@ static int msad_range_hack = 0; static Attr_option *ad_find_option_definition( const char *opt, int optlen ); -static int ad_keystring( +int ad_keystring( struct berval *bv ) { ber_len_t i; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index e9f9577aa9..53f3c0466b 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -129,6 +129,7 @@ LDAP_SLAPD_F (int) slap_bv2ad LDAP_P(( const char **text )); LDAP_SLAPD_F (void) ad_destroy LDAP_P(( AttributeDescription * )); +LDAP_SLAPD_F (int) ad_keystring LDAP_P(( struct berval *bv )); #define ad_cmp(l,r) (((l)->ad_cname.bv_len < (r)->ad_cname.bv_len) \ ? -1 : (((l)->ad_cname.bv_len > (r)->ad_cname.bv_len) \ diff --git a/servers/slapd/search.c b/servers/slapd/search.c index 77209117a4..0e15409a1e 100644 --- a/servers/slapd/search.c +++ b/servers/slapd/search.c @@ -156,10 +156,40 @@ do_search( if ( slap_bv2ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS ) { - slap_bv2undef_ad( &op->ors_attrs[i].an_name, + if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name, &op->ors_attrs[i].an_desc, &dummy, - SLAP_AD_PROXIED|SLAP_AD_NOINSERT ); - }; + SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) ) + { + struct berval *bv = &op->ors_attrs[i].an_name; + + /* RFC 4511 LDAPv3: All User Attributes */ + if ( bvmatch( bv, slap_bv_all_user_attrs ) ) { + continue; + } + + /* RFC 3673 LDAPv3: All Operational Attributes */ + if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) { + continue; + } + + /* RFC 4529 LDAP: Requesting Attributes by Object Class */ + if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) { + /* FIXME: check if remaining is valid oc name? */ + continue; + } + + /* add more "exceptions" to RFC 4511 4.5.1.8. */ + + /* invalid attribute description? remove */ + if ( ad_keystring( bv ) ) { + /* NOTE: parsed in-place, don't modify; + * rather add "1.1", which must be ignored */ + BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS ); + } + + /* otherwise leave in place... */ + } + } } if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) { -- 2.39.2