[Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acl.c, 1.8, 1.9

Nathan Kinder (nkinder) fedora-directory-commits at redhat.com
Thu Oct 4 16:27:49 UTC 2007


Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv434/plugins/acl

Modified Files:
	acl.c 
Log Message:
Resolves: 288321
Summary: Handle poorly formatted DN's when normalizing.  Also only check modify values against authenticated DN for DN syntax attributes.



Index: acl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acl.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- acl.c	10 Nov 2006 23:44:49 -0000	1.8
+++ acl.c	4 Oct 2007 16:27:47 -0000	1.9
@@ -235,7 +235,7 @@
 	Slapi_PBlock	    *pb,
 	Slapi_Entry	    *e,			/* The Slapi_Entry */
 	char				*attr,		/* Attribute of	the entry */
-	struct berval	    *val,		/* value of attr. NOT USED */
+	struct berval	    *val,		/* value of attr */
 	int		    access		/* requested access rights */
 	)
 {
@@ -341,21 +341,32 @@
 	acl_init_aclpb ( pb, aclpb, clientDn, 0	);
 	TNF_PROBE_0_DEBUG(acl_aclpbinit_end,"ACL","");
 
-
-	/* Here	we mean	if "I am trying	to add/delete "myself" ? " */
-	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0) ) {
-		/* should use slapi_sdn_compare() but that'a an extra malloc/free */
-		
-		char *dn_val_to_write =
-					slapi_dn_normalize(slapi_ch_strdup(val->bv_val)); 
-   
-     	if ( aclpb->aclpb_authorization_sdn && 
-				slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
-				slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
-			access |= SLAPI_ACL_SELF;
-         } 
+	/* Here	we mean	if "I am trying	to add/delete "myself" to a group, etc." We
+	 * basically just want to see if the value matches the DN of the user that
+	 * we're checking access for */
+	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0)) {
+		Slapi_Attr *sa = slapi_attr_new();
+		char *oid = NULL;
+
+		slapi_attr_init(sa, attr);
+		slapi_attr_get_syntax_oid_copy(sa, &oid);
+  
+		/* We only want to perform this check if the attribute is
+		 * defined using the DN syntax. */
+		if (oid && (strcasecmp(oid, DN_SYNTAX_OID) == 0)) { 
+			/* should use slapi_sdn_compare() but that'a an extra malloc/free */
+			char *dn_val_to_write = slapi_dn_normalize(slapi_ch_strdup(val->bv_val));
+			if ( aclpb->aclpb_authorization_sdn && 
+					slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
+					slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
+				access |= SLAPI_ACL_SELF;
+			} 
 	
-		slapi_ch_free( (void **)&dn_val_to_write);
+			slapi_ch_free_string(&dn_val_to_write);
+		}
+
+		slapi_ch_free_string(&oid);
+		slapi_attr_free(&sa);
 	}
 
 	/* Convert access to string of rights eg SLAPI_ACL_ADD->"add". */




More information about the Fedora-directory-commits mailing list