Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 48141 - aci with wildcard and macro not correctly evaluated

if an acis contains macros and wildcards the evaluation can fail if the macro part does not
align with dn components. Since this alignment is not enforced inman cases, the combination
with wild card should also work.

To fix the issue a check was introduced if the char before or after the macro is ','. Then the old code
path is taken, in other cases a new evaluation routine is added

https://fedorahosted.org/389/ticket/48141

Review: noriko, thanks
Ludwig Krispenz 10 years ago
parent
8b4b71f2dc
commit
4fbfc2e086
1 changed files with 30 additions and 2 deletions
Split View Show Diff Stats
  1. 30 2
      ldap/servers/plugins/acl/aclutil.c

+ 30 - 2
ldap/servers/plugins/acl/aclutil.c
View File 

@@ -847,7 +847,13 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 		if ( strstr(macro_prefix, "=*") != NULL ) {
 
 			int exact_match = 0;			
 
-			ndn_prefix_len = acl_match_prefix( macro_prefix, ndn, &exact_match);
 
+			if (macro_prefix[macro_prefix_len-1] == ',') {
 
+				/* macro aligns with dn components */
 
+				ndn_prefix_len = acl_match_prefix( macro_prefix, ndn, &exact_match);
 
+			} else {
 
+				/* do a initial * final substring match */
 
+				ndn_prefix_len = acl_match_substr_prefix( macro_prefix, ndn, &exact_match);
 
+			}
 
 			if (  ndn_prefix_len != -1 ) {
 
 				
 				/*
 
@@ -951,10 +957,14 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 					 * ndn[ndn_prefix_end..mndn_len-macro_suffix_len]
 
 					 * the -1 is because macro_suffix_eln does not include
 
 					 * the coma before the suffix.
 
+					 *
 
+					 * there are cases where the macro does end inside a dn component
 
 					*/
 
 
 					matched_val_len = ndn_len-macro_suffix_len-
 
-										ndn_prefix_end - 1;
 
+										ndn_prefix_end;
 
+					if (ndn[ndn_len - macro_suffix_len] == ',')
 
+						matched_val_len -= 1;
 
 					
 					matched_val = (char *)slapi_ch_malloc(matched_val_len + 1);
 
 					strncpy(matched_val, &ndn[ndn_prefix_end],
 
@@ -971,6 +981,24 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 	return(ret_val);
 
 }
 
 
+int
 
+acl_match_substr_prefix( char *macro_prefix, const char *ndn, int *exact_match) {
 
+	int ret_code = -1;
 
+        char *tmp_str = NULL;
 
+        int initial, any, final;
 
+
 
+	*exact_match = 0;
 
+	tmp_str = slapi_ch_strdup(macro_prefix);
 
+	any = acl_strstr(tmp_str, "*");
 
+	tmp_str[any] = '\0';
 
+	initial = acl_strstr(ndn, tmp_str);
 
+        if (initial >= 0) {
 
+		final = acl_strstr(&ndn[initial+strlen(tmp_str)],&tmp_str[any+1]);
 
+		if (final > 0) ret_code = initial + strlen(tmp_str) +final + strlen(&tmp_str[any+1]);
 
+	}
 
+	slapi_ch_free_string(&tmp_str);
 
+	return (ret_code);
 
+}
 
 /*
 
  * Checks to see if macro_prefix is an exact prefix of ndn.
 
  * macro_prefix may contain a * component.