[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3830) Buggy access attrs=... val=...
> Howard Chu writes:
>> I have committed a fix to HEAD, please test.
>
> Thanks. The reported problem is fixed.
> I've stumbled on to two new ones instead - including a crash:
>
>
> "access non-DN-attr=foo val=bar" uses the attribute's EQUALITY
> rule to check for a match - and so value_match() crashes on
> assert( mr != NULL ) if the attribute has no EQUALITY rule.
Asserts are there for this reason :)
> E.g. "access to attrs=supportedControl val=1.2 by * read".
>
> I suggest that slapd then exits with an error message during startup:
> "val.regex style for non-DN attr without EQUALITY rule":
> http://folk.uio.no/hbf/OpenLDAP/valacl.patch
> That does mean one can't use 'val=<not regexp>' on an attribute for
> access control on inherited attributes with EQUALITY rules, but it's
> less surprising than to just have the match fail at run-time.
>
> Not sure if slap_acl_get() needs to check if there is an EQUALITY
> rule in any case.
>
> I note that acl_mask_dnattr() also calls value_match() with some
> attribute's EQUALITY rule; maybe that needs something similar.
>
>
> Also, the value from 'val=' does not get normalized. So
> access to attrs=configContext val=CN=CONFIG by * none
> access to * by * read
> does show configContext: cn=config. OTOH,
> access to attrs=objectClass val=OPENLDAPROOTDSE by * none
> works fine - it only shows objectClass: top.
I'll look at these.
Thanks, p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497