From eb5c2a4066c84f499f767764fcb2bb0dd46a6dda Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 20 Nov 2004 12:12:27 +0000 Subject: [PATCH] import fix to ITS#3303 --- CHANGES | 1 + servers/slapd/acl.c | 22 +++++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 0b45b50152..b9ddaab5b4 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,7 @@ OpenLDAP 2.2 Change Log OpenLDAP 2.2.19 Engineering Fixed slapd check for mandatory filter in authz-regexp URI (ITS#3396) + Fixed slapd ACI when the subject contains '#' (ITS#3303) Fixed back-ldap malformed URI check for multiple URIs (ITS#3399) Fixed back-ldap/back-meta static definition of be_open() (ITS#3387) Build Environment diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f4388518b5..47e03bfa42 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2104,8 +2104,27 @@ aci_mask( if (aci_get_part(aci, 3, '#', &bv) < 0) return(0); + /* see if we have a public (i.e. anonymous) access */ + if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) { + return(1); + } + + /* otherwise require an identity */ + if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) { + return 0; + } + + /* NOTE: this may fail if a DN contains a valid '#' (unescaped); + * just grab all the berval up to its end (ITS#3303). + * NOTE: the problem could be solved by providing the DN with + * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would + * become "cn=Foo\23Bar" and be safely used by aci_mask(). */ +#if 0 if (aci_get_part(aci, 4, '#', &sdn) < 0) return(0); +#endif + sdn.bv_val = bv.bv_val + bv.bv_len + STRLENOF( "#" ); + sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val ); if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) { struct berval ndn; @@ -2117,9 +2136,6 @@ aci_mask( } return (rc); - } else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) { - return(1); - } else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) { if (dn_match(&op->o_ndn, &e->e_nname)) return(1); -- 2.39.5