[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6261) Misparsing when commas present in LDAP URL DNs

To: openldap-its@OpenLDAP.org
Subject: (ITS#6261) Misparsing when commas present in LDAP URL DNs
From: jwm@horde.net
Date: Tue, 18 Aug 2009 17:34:10 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: John Morrissey
Version: RE24
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.133.190.110)


libldap's ldap_url_parselist_int() splits URLs on spaces (" ") and commas
(",") when parsing them. Commas in LDAP URLs do not need to be
percent-encoded (in fact, section 4 of RFC 4516 has a number of examples
with non-encoded commas).

This causes failure in situations like passing a full URL to
ldap_initialize():

ldap_initialize("ldap://localhost/dc=example,dc=com";);

Breakpoint 1, ldap_url_parselist_int (ludlist=0x7fff99b56470,
    url=0x400d10 "ldap://localhost:390/dc=example,dc=com";, sep=0x0,
    flags=3) at url.c:1284
[...]
1293            urls = ldap_str2charray( url, sep );
(gdb)
1294            if (urls == NULL)
(gdb) print urls[0]
$1 = 0xb69280 "ldap://localhost:390/dc=example";
(gdb) print urls[1]
$2 = 0xb691b0 "dc=com"

ldap_url_parselist_int calls ldap_url_parse_ext() on urls[1], which returns
LDAP_URL_ERR_BADSCHEME. This makes its way back to ldap_initialize()'s
caller as LDAP_PARAM_ERROR.

The client tools accept comma-separated lists of URLs passed to -H. It seems
better to modify ldap_url_parselist{,_int}() to split on spaces and use
ldap_url_parselist_ext() to override this behavior where necessary for
backwards compatibility (such as in client tools).

Perhaps this is a documentation bug. In that case, ldap_open(3) should
mention this behavior, especially since it conflicts with RFC 4516.


>From RFC 4516:
--
2.1.  Percent-Encoding

   A generated LDAP URL MUST consist only of the restricted set of
   characters included in one of the following three productions defined
   in [RFC3986]:

         <reserved>
         <unreserved>
         <pct-encoded>

   Implementations SHOULD accept other valid UTF-8 strings [RFC3629] as
   input.  An octet MUST be encoded using the percent-encoding mechanism
   described in section 2.1 of [RFC3986] in any of these situations:

      The octet is not in the reserved set defined in section 2.2 of
      [RFC3986] or in the unreserved set defined in section 2.3 of
      [RFC3986].

      It is the single Reserved character '?' and occurs inside a <dn>,
      <filter>, or other element of an LDAP URL.

      It is a comma character ',' that occurs inside an <exvalue>.

   Note that before the percent-encoding mechanism is applied, the
   extensions component of the LDAP URL may contain one or more null
   (zero) bytes.  No other component may.
--

And from RFC 2986:
--
2.2.  Reserved Characters
[...]
      reserved    = gen-delims / sub-delims

      gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"

      sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "=" 
--

Prev by Date: Re: (ITS#6194) Patch - Enhancement - provide LDIF support as libldif
Next by Date: Re: (ITS#6261) Misparsing when commas present in LDAP URL DNs
Index(es):
- Chronological
- Thread