首頁 探索 說明
註冊 登入
Apq
/
389-ds-base
镜像来自 https://github.com/389ds/389-ds-base.git
1
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.

Description:
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
   the inactivated message should be returned only when the bind is
   successful.
2. When SASL bind fails, instead of returning the cause of the failure
   directly to the client, but logging it in the access log.

https://bugzilla.redhat.com/show_bug.cgi?id=1347760

Reviewed by [email protected] (Thank you, William!)
Noriko Hosoi 9 年之前
父節點
70d06dab96
當前提交
b8767d510d
共有 2 個文件被更改,包括 25 次插入28 次删除
統一視圖 顯示文件統計
  1. 23 26
      ldap/servers/slapd/bind.c
  2. 2 2
      ldap/servers/slapd/saslbind.c

+ 23 - 26
ldap/servers/slapd/bind.c
查看文件 

@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb )
 
                     }
 
                     }
 
                 }
 
                 }
 
             }
 
             }
 
-
 
-            /*
 
-             * Is this account locked ?
 
-             *	could be locked through the account inactivation
 
-             *	or by the password policy
 
-             *
 
-             * rc=0: account not locked
 
-             * rc=1: account locked, can not bind, result has been sent
 
-             * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
 
-             * 		deal with it.
 
-             *
 
-             */
 
-
 
-            /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
 
-            if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
 
-                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(sdn));
 
-                rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
 
-            }
 
-
 
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
 
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
 
             set_db_default_result_handlers(pb);
 
             set_db_default_result_handlers(pb);
 
             if ( (rc != 1) && 
             if ( (rc != 1) && 
@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb )
 
 
 
                 if ( rc == SLAPI_BIND_SUCCESS ) {
 
                 if ( rc == SLAPI_BIND_SUCCESS ) {
 
                     int myrc = 0;
 
                     int myrc = 0;
 
+                    /* 
+                     * The bind is successful.
 
+                     * We can give it to slapi_check_account_lock and reslimit_update_from_dn.
 
+                     */
 
+                    /*
 
+                     * Is this account locked ?
 
+                     *	could be locked through the account inactivation
 
+                     *	or by the password policy
 
+                     *
 
+                     * rc=0: account not locked
 
+                     * rc=1: account locked, can not bind, result has been sent
 
+                     * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
 
+                     * 		deal with it.
 
+                     *
 
+                     */
 
+                    if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
 
+                        bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
 
+                        rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
 
+                        if (1 == rc) { /* account is locked */
 
+                            goto account_locked;
 
+                        }
 
+                    }
 
                     if (!auto_bind) {
 
                     if (!auto_bind) {
 
                         /* 
                         /* 
                          * There could be a race that bind_target_entry was not added 
                          * There could be a race that bind_target_entry was not added 
@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb )
 
                         if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && 
                         if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && 
                             !bind_target_entry) {
 
                             !bind_target_entry) {
 
                             bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
 
                             bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
 
-                            if (bind_target_entry) {
 
-                                myrc = slapi_check_account_lock(pb, bind_target_entry,
 
-                                                              pw_response_requested, 1, 1);
 
-                                if (1 == myrc) { /* account is locked */
 
-                                    goto account_locked;
 
-                                }
 
-                            } else {
 
+                            if (!bind_target_entry) {
 
                                 slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
 
                                 slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
 
                                 send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
 
                                 send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
 
                                 goto free_and_return;
 
                                 goto free_and_return;

+ 2 - 2
ldap/servers/slapd/saslbind.c
查看文件 

@@ -1051,8 +1051,8 @@ sasl_check_result:
 
         errstr = sasl_errdetail(sasl_conn);
 
         errstr = sasl_errdetail(sasl_conn);
 
 
 
         PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
 
         PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
 
-        send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
 
-                         (char*)errstr, 0, NULL);
 
+        slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr);
 
+        send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
 
         break;
 
         break;
 
     }
 
     }