Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Issue 49095 - targetattr wildcard evaluation is incorrectly case sensitive

Description:  When processing an aci that uses a wildcard targetattr, the
              comparision should be done using case insensitive functions.

https://pagure.io/389-ds-base/issue/49095

Reviewed by: firstyear(Thanks!)
Mark Reynolds 8 years ago
parent
4fb30a0006
commit
fdf78dca6c
2 changed files with 90 additions and 5 deletions
Split View Show Diff Stats
  1. 85 0
      dirsrvtests/tests/tickets/ticket49095_test.py
  2. 5 5
      ldap/servers/plugins/acl/acl.c

+ 85 - 0
dirsrvtests/tests/tickets/ticket49095_test.py
View File 

@@ -0,0 +1,85 @@
 
+import time
 
+import ldap
 
+import logging
 
+import pytest
 
+from lib389 import DirSrv, Entry, tools, tasks
 
+from lib389.tools import DirSrvTools
 
+from lib389._constants import *
 
+from lib389.properties import *
 
+from lib389.tasks import *
 
+from lib389.utils import *
 
+from lib389.topologies import topology_st as topo
 
+
 
+DEBUGGING = os.getenv("DEBUGGING", default=False)
 
+if DEBUGGING:
 
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
 
+else:
 
+    logging.getLogger(__name__).setLevel(logging.INFO)
 
+log = logging.getLogger(__name__)
 
+
 
+USER_DN = 'uid=testuser,dc=example,dc=com'
 
+acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
 
+        '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
 
+        '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
 
+        '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']
 
+
 
+
 
+def test_ticket49095(topo):
 
+    """Check that target attrbiutes with wildcards are case insensitive
 
+    """
 
+
 
+    # Add an entry
 
+    try:
 
+        topo.standalone.add_s(Entry((USER_DN, {
 
+            'objectclass': 'top extensibleObject'.split(),
 
+            'uid': 'testuser',
 
+            'telephonenumber': '555-555-5555'
 
+        })))
 
+    except ldap.LDAPError as e:
 
+            log.fatal('Failed to add test user: ' + e.message['desc'])
 
+            assert False
 
+
 
+    for aci in acis:
 
+        # Add ACI
 
+        try:
 
+            topo.standalone.modify_s(DEFAULT_SUFFIX,
 
+                          [(ldap.MOD_REPLACE, 'aci', aci)])
 
+
 
+        except ldap.LDAPError as e:
 
+            log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])
 
+            assert False
 
+
 
+        # Set Anonymous Bind to test aci
 
+        try:
 
+            topo.standalone.simple_bind_s("", "")
 
+        except ldap.LDAPError as e:
 
+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
 
+            assert False
 
+
 
+        # Search for entry - should not get any results
 
+        try:
 
+            entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,
 
+                                             'telephonenumber=*')
 
+            if entry:
 
+                log.fatal('The entry was incorrectly returned')
 
+                assert False
 
+        except ldap.LDAPError as e:
 
+            log.fatal('Failed to search anonymously: ' + e.message['desc'])
 
+            assert False
 
+
 
+        # Set root DN Bind so we can update aci's
 
+        try:
 
+            topo.standalone.simple_bind_s(DN_DM, PASSWORD)
 
+        except ldap.LDAPError as e:
 
+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
 
+            assert False
 
+
 
+    log.info("Test Passed")
 
+
 
+
 
+if __name__ == '__main__':
 
+    # Run isolated
 
+    # -s for DEBUG mode
 
+    CURRENT_FILE = os.path.realpath(__file__)
 
+    pytest.main("-s %s" % CURRENT_FILE)
 
+

+ 5 - 5
ldap/servers/plugins/acl/acl.c
View File 

@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 
 	}
 
 
 	/* this assumes that str and the filter components are already
 
-	 * normalized. If not, it shoul be done
 
+	 * normalized. If not, it should be done
 
 	 */
 
 	if ( initial != NULL) {
 
 		len = strlen(initial);
 
 		if (exact_match) {
 
-			int rc = strncmp(p, initial, len);
 
+			int rc = strncasecmp(p, initial, len);
 
 			if (rc) {
 
 				return ACL_FALSE;
 
 			} else {
 
 				p += len;
 
 			}  
 		} else {
 
-			p = strstr(p, initial);
 
+			p = strcasestr(p, initial);
 
 			if (p) {
 
 				p += len;
 
 			} else {
 
@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 
 
 	if ( any != NULL) {
 
 		for (i = 0;  any && any[i] != NULL; i++) {
 
-			p = strstr(p, any[i]);
 
+			p = strcasestr(p, any[i]);
 
 			if (p) {
 
 				p += strlen(any[i]);
 
 			} else {
 
@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 
 		len = strlen(final);
 
 		tlen = strlen(p);
 
 		if (len > tlen) return ACL_FALSE;
 
-		if (strcmp(p+tlen-len, final)) return ACL_FALSE;
 
+		if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;
 
 	}
 
 
 	return ACL_TRUE;