Inicio Explorar Axuda
Rexistro Iniciar sesión
Apq
/
389-ds-base
réplica de https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Ticket 47614 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms

Bug Description:  Invalid values could be specified in the allowed sasl mechanisms configuration
                  attribute.  These values are directly passed to the sasl library.

Fix Description:  Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,
                  digits, hyphens, or underscores.

https://fedorahosted.org/389/ticket/47614

Reviewed by: richm(Thanks!)
Mark Reynolds %!s(int64=12) %!d(string=hai) anos
pai
0cb6de1488
achega
7e8a5fc718
Modificáronse 1 ficheiros con 60 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 60 0
      ldap/servers/slapd/libglobs.c

+ 60 - 0
ldap/servers/slapd/libglobs.c
Ver ficheiro 

@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,
 
 static int config_set_schemareplace ( const char *attrname, char *value,
 
 		char *errorbuf, int apply );
 
 static void remove_commas(char *str);
 
+static int invalid_sasl_mech(char *str);
 
 
 /* Keeping the initial values */
 
 /* CONFIG_INT/CONFIG_LONG */
 
@@ -6824,6 +6825,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
 
     /* cyrus sasl doesn't like comma separated lists */
 
     remove_commas(value);
 
 
+    if(invalid_sasl_mech(value)){
 
+        LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s).  Use ASCII "
 
+                                 "characters, upto 20 characters, that are upper-case letters, "
 
+                                 "digits, hyphens, or underscores\n", value, 0, 0);
 
+        return LDAP_UNWILLING_TO_PERFORM;
 
+    }
 
+
 
     CFG_LOCK_WRITE(slapdFrontendConfig);
 
     slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
 
     CFG_UNLOCK_WRITE(slapdFrontendConfig);
 
@@ -7595,3 +7603,55 @@ remove_commas(char *str)
 
         }
 
     }
 
 }
 
+
 
+/*
 
+ * Check the SASL mechanism values
 
+ *
 
+ * As per RFC 4422:
 
+ * SASL mechanisms are named by character strings, from 1 to 20
 
+ * characters in length, consisting of ASCII [ASCII] uppercase letters,
 
+ * digits, hyphens, and/or underscores.
 
+ */
 
+static int
 
+invalid_sasl_mech(char *str)
 
+{
 
+    char *mech = NULL, *token = NULL, *next = NULL;
 
+    int i;
 
+
 
+    if(str == NULL){
 
+        return 0;
 
+    }
 
+
 
+    /*
 
+     * Check the length for each mechanism
 
+     */
 
+    token = slapi_ch_strdup(str);
 
+    for (mech = ldap_utf8strtok_r(token, " ", &next); mech;
 
+         mech = ldap_utf8strtok_r(NULL, " ", &next))
 
+    {
 
+        if(strlen(mech) == 0 || strlen(mech) > 20){
 
+            /* invalid length */
 
+            slapi_ch_free_string(&token);
 
+            return 1;
 
+        }
 
+    }
 
+    slapi_ch_free_string(&token);
 
+
 
+    /*
 
+     * Check the individual characters
 
+     */
 
+    for (i = 0; str[i]; i++){
 
+        if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */
 
+             ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */
 
+             (int)str[i] != 32 && /* not a space (between mechanisms) */
 
+             (int)str[i] != 45 && /* not a hyphen */
 
+             (int)str[i] != 95 ) /* not an underscore */
 
+        {
 
+            /* invalid character */
 
+            return 1;
 
+        }
 
+    }
 
+
 
+    /* Mechanism value is valid */
 
+    return 0;
 
+}