Ticket #47869 - unauthenticated information disclosure (Bug 1123477)

Fix Description: nscpentrywsi is returned only authenticated as root.
The bug was fixed by [email protected] (Ludwig Krispenz).
His patch was modified based upon this review comment.
https://bugzilla.redhat.com/show_bug.cgi?id=1123477#c2

https://bugzilla.redhat.com/show_bug.cgi?id=1127833

(cherry picked from commit aa90e26d5c4ea47b2a4a22f99cf0742cf48b3fae)
(cherry picked from commit 394277fdcef70078b54a280de88ab06dd289cc7a)

ldap/servers/slapd/computed.c

@@ -59,6 +59,7 @@ struct _computed_attr_context {
 struct _compute_evaluator {
 	struct _compute_evaluator *next;
 	slapi_compute_callback_t function;
+	int rootonly;
 };
 typedef struct _compute_evaluator compute_evaluator;
 
@@ -95,6 +96,13 @@ int compute_call_evaluators_nolock(computed_attr_context *c,slapi_compute_output
         compute_evaluator *current = NULL;
         
         for (current = compute_evaluators; (current != NULL) && (-1 == rc); current = current->next) {
+		if (current->rootonly) {
+			int isroot;
+			slapi_pblock_get(c->pb, SLAPI_REQUESTOR_ISROOT, &isroot);
+			if (!isroot) {
+				continue;
+			}
+		}
                 rc = (*(current->function))(c,type,e,outfn);
         }
         return rc;
@@ -157,13 +165,18 @@ compute_stock_evaluator(computed_attr_context *c,char* type,Slapi_Entry *e,slapi
 }
 
 static void
-compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval)
+compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval, int rootonly)
 {
     new_eval->next = compute_evaluators;
     new_eval->function = function;
+    new_eval->rootonly = rootonly;
     compute_evaluators = new_eval;
 }
 int slapi_compute_add_evaluator(slapi_compute_callback_t function)
+{
+	return slapi_compute_add_evaluator_ext(function, 0);
+}
+int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly)
 {
 	int rc = 0;
 	compute_evaluator *new_eval = NULL;
@@ -187,7 +200,7 @@ int slapi_compute_add_evaluator(slapi_compute_callback_t function)
                     slapi_rwlock_wrlock(compute_evaluators_lock);
                 }
                 
-                compute_add_evaluator_nolock(function, new_eval);
+                compute_add_evaluator_nolock(function, new_eval, rootonly);
                 
                 if (need_lock) {
                     slapi_rwlock_unlock(compute_evaluators_lock);

ldap/servers/slapd/entrywsi.c

@@ -1086,7 +1086,7 @@ entry_compute_nscpentrywsi(computed_attr_context *c,char* type,Slapi_Entry *e,sl
 int 
 entry_computed_attr_init()
 {
-	slapi_compute_add_evaluator(entry_compute_nscpentrywsi);
+	slapi_compute_add_evaluator_ext(entry_compute_nscpentrywsi, 1 /* root only */);
 	return 0;
 }
 

ldap/servers/slapd/slapi-plugin.h

@@ -6344,6 +6344,7 @@ typedef int (*slapi_compute_output_t)(computed_attr_context *c,Slapi_Attr *a , S
 typedef int (*slapi_compute_callback_t)(computed_attr_context *c,char* type,Slapi_Entry *e,slapi_compute_output_t outputfn);
 typedef int (*slapi_search_rewrite_callback_t)(Slapi_PBlock *pb);
 int slapi_compute_add_evaluator(slapi_compute_callback_t function);
+int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly);
 int slapi_compute_add_search_rewriter(slapi_search_rewrite_callback_t function);
 int	compute_rewrite_search_filter(Slapi_PBlock *pb);