[Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acl.c, 1.8, 1.9
Nathan Kinder (nkinder)
fedora-directory-commits at redhat.com
Thu Oct 4 16:27:49 UTC 2007
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm dblayer.c, 1.22, 1.23 index.c, 1.12, 1.13
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd attrsyntax.c, 1.5, 1.6 dn.c, 1.9, 1.10 libslapd.def, 1.17, 1.18 slapi-plugin.h, 1.17, 1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv434/plugins/acl
Modified Files:
acl.c
Log Message:
Resolves: 288321
Summary: Handle poorly formatted DN's when normalizing. Also only check modify values against authenticated DN for DN syntax attributes.
Index: acl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acl.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- acl.c 10 Nov 2006 23:44:49 -0000 1.8
+++ acl.c 4 Oct 2007 16:27:47 -0000 1.9
@@ -235,7 +235,7 @@
Slapi_PBlock *pb,
Slapi_Entry *e, /* The Slapi_Entry */
char *attr, /* Attribute of the entry */
- struct berval *val, /* value of attr. NOT USED */
+ struct berval *val, /* value of attr */
int access /* requested access rights */
)
{
@@ -341,21 +341,32 @@
acl_init_aclpb ( pb, aclpb, clientDn, 0 );
TNF_PROBE_0_DEBUG(acl_aclpbinit_end,"ACL","");
-
- /* Here we mean if "I am trying to add/delete "myself" ? " */
- if (val && (access & SLAPI_ACL_WRITE) && (val->bv_len > 0) ) {
- /* should use slapi_sdn_compare() but that'a an extra malloc/free */
-
- char *dn_val_to_write =
- slapi_dn_normalize(slapi_ch_strdup(val->bv_val));
-
- if ( aclpb->aclpb_authorization_sdn &&
- slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
- slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) {
- access |= SLAPI_ACL_SELF;
- }
+ /* Here we mean if "I am trying to add/delete "myself" to a group, etc." We
+ * basically just want to see if the value matches the DN of the user that
+ * we're checking access for */
+ if (val && (access & SLAPI_ACL_WRITE) && (val->bv_len > 0)) {
+ Slapi_Attr *sa = slapi_attr_new();
+ char *oid = NULL;
+
+ slapi_attr_init(sa, attr);
+ slapi_attr_get_syntax_oid_copy(sa, &oid);
+
+ /* We only want to perform this check if the attribute is
+ * defined using the DN syntax. */
+ if (oid && (strcasecmp(oid, DN_SYNTAX_OID) == 0)) {
+ /* should use slapi_sdn_compare() but that'a an extra malloc/free */
+ char *dn_val_to_write = slapi_dn_normalize(slapi_ch_strdup(val->bv_val));
+ if ( aclpb->aclpb_authorization_sdn &&
+ slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
+ slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) {
+ access |= SLAPI_ACL_SELF;
+ }
- slapi_ch_free( (void **)&dn_val_to_write);
+ slapi_ch_free_string(&dn_val_to_write);
+ }
+
+ slapi_ch_free_string(&oid);
+ slapi_attr_free(&sa);
}
/* Convert access to string of rights eg SLAPI_ACL_ADD->"add". */
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm dblayer.c, 1.22, 1.23 index.c, 1.12, 1.13
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd attrsyntax.c, 1.5, 1.6 dn.c, 1.9, 1.10 libslapd.def, 1.17, 1.18 slapi-plugin.h, 1.17, 1.18
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list