[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6261) Misparsing when commas present in LDAP URL DNs
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#6261) Misparsing when commas present in LDAP URL DNs
- From: jwm@horde.net
- Date: Tue, 18 Aug 2009 17:34:10 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: John Morrissey
Version: RE24
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.133.190.110)
libldap's ldap_url_parselist_int() splits URLs on spaces (" ") and commas
(",") when parsing them. Commas in LDAP URLs do not need to be
percent-encoded (in fact, section 4 of RFC 4516 has a number of examples
with non-encoded commas).
This causes failure in situations like passing a full URL to
ldap_initialize():
ldap_initialize("ldap://localhost/dc=example,dc=com");
Breakpoint 1, ldap_url_parselist_int (ludlist=0x7fff99b56470,
url=0x400d10 "ldap://localhost:390/dc=example,dc=com", sep=0x0,
flags=3) at url.c:1284
[...]
1293 urls = ldap_str2charray( url, sep );
(gdb)
1294 if (urls == NULL)
(gdb) print urls[0]
$1 = 0xb69280 "ldap://localhost:390/dc=example"
(gdb) print urls[1]
$2 = 0xb691b0 "dc=com"
ldap_url_parselist_int calls ldap_url_parse_ext() on urls[1], which returns
LDAP_URL_ERR_BADSCHEME. This makes its way back to ldap_initialize()'s
caller as LDAP_PARAM_ERROR.
The client tools accept comma-separated lists of URLs passed to -H. It seems
better to modify ldap_url_parselist{,_int}() to split on spaces and use
ldap_url_parselist_ext() to override this behavior where necessary for
backwards compatibility (such as in client tools).
Perhaps this is a documentation bug. In that case, ldap_open(3) should
mention this behavior, especially since it conflicts with RFC 4516.
>From RFC 4516:
--
2.1. Percent-Encoding
A generated LDAP URL MUST consist only of the restricted set of
characters included in one of the following three productions defined
in [RFC3986]:
<reserved>
<unreserved>
<pct-encoded>
Implementations SHOULD accept other valid UTF-8 strings [RFC3629] as
input. An octet MUST be encoded using the percent-encoding mechanism
described in section 2.1 of [RFC3986] in any of these situations:
The octet is not in the reserved set defined in section 2.2 of
[RFC3986] or in the unreserved set defined in section 2.3 of
[RFC3986].
It is the single Reserved character '?' and occurs inside a <dn>,
<filter>, or other element of an LDAP URL.
It is a comma character ',' that occurs inside an <exvalue>.
Note that before the percent-encoding mechanism is applied, the
extensions component of the LDAP URL may contain one or more null
(zero) bytes. No other component may.
--
And from RFC 2986:
--
2.2. Reserved Characters
[...]
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
--