Inicio Explorar Axuda
Rexistro Iniciar sesión
Apq
/
389-ds-base
réplica de https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Ticket 48141 - aci with wildcard and macro not correctly evaluated

if an acis contains macros and wildcards the evaluation can fail if the macro part does not
align with dn components. Since this alignment is not enforced inman cases, the combination
with wild card should also work.

To fix the issue a check was introduced if the char before or after the macro is ','. Then the old code
path is taken, in other cases a new evaluation routine is added

https://fedorahosted.org/389/ticket/48141

Review: noriko, thanks
Ludwig Krispenz %!s(int64=10) %!d(string=hai) anos
pai
8b4b71f2dc
achega
4fbfc2e086
Modificáronse 1 ficheiros con 30 adicións e 2 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 30 2
      ldap/servers/plugins/acl/aclutil.c

+ 30 - 2
ldap/servers/plugins/acl/aclutil.c
Ver ficheiro 

@@ -847,7 +847,13 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 		if ( strstr(macro_prefix, "=*") != NULL ) {
 
 			int exact_match = 0;			
 
-			ndn_prefix_len = acl_match_prefix( macro_prefix, ndn, &exact_match);
 
+			if (macro_prefix[macro_prefix_len-1] == ',') {
 
+				/* macro aligns with dn components */
 
+				ndn_prefix_len = acl_match_prefix( macro_prefix, ndn, &exact_match);
 
+			} else {
 
+				/* do a initial * final substring match */
 
+				ndn_prefix_len = acl_match_substr_prefix( macro_prefix, ndn, &exact_match);
 
+			}
 
 			if (  ndn_prefix_len != -1 ) {
 
 				
 				/*
 
@@ -951,10 +957,14 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 					 * ndn[ndn_prefix_end..mndn_len-macro_suffix_len]
 
 					 * the -1 is because macro_suffix_eln does not include
 
 					 * the coma before the suffix.
 
+					 *
 
+					 * there are cases where the macro does end inside a dn component
 
 					*/
 
 
 					matched_val_len = ndn_len-macro_suffix_len-
 
-										ndn_prefix_end - 1;
 
+										ndn_prefix_end;
 
+					if (ndn[ndn_len - macro_suffix_len] == ',')
 
+						matched_val_len -= 1;
 
 					
 					matched_val = (char *)slapi_ch_malloc(matched_val_len + 1);
 
 					strncpy(matched_val, &ndn[ndn_prefix_end],
 
@@ -971,6 +981,24 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 
 	return(ret_val);
 
 }
 
 
+int
 
+acl_match_substr_prefix( char *macro_prefix, const char *ndn, int *exact_match) {
 
+	int ret_code = -1;
 
+        char *tmp_str = NULL;
 
+        int initial, any, final;
 
+
 
+	*exact_match = 0;
 
+	tmp_str = slapi_ch_strdup(macro_prefix);
 
+	any = acl_strstr(tmp_str, "*");
 
+	tmp_str[any] = '\0';
 
+	initial = acl_strstr(ndn, tmp_str);
 
+        if (initial >= 0) {
 
+		final = acl_strstr(&ndn[initial+strlen(tmp_str)],&tmp_str[any+1]);
 
+		if (final > 0) ret_code = initial + strlen(tmp_str) +final + strlen(&tmp_str[any+1]);
 
+	}
 
+	slapi_ch_free_string(&tmp_str);
 
+	return (ret_code);
 
+}
 
 /*
 
  * Checks to see if macro_prefix is an exact prefix of ndn.
 
  * macro_prefix may contain a * component.