[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6819) invalid attributes in search request

To: openldap-its@OpenLDAP.org
Subject: (ITS#6819) invalid attributes in search request
From: masarati@aero.polimi.it
Date: Tue, 1 Feb 2011 12:08:21 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Pierangelo Masarati
Version: HEAD/re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.200)
Submitted by: ando


As per RFC4511 we ignore unknown attributes in search requests, and we handle
special attributes according to RFC 3673 and RFC 4529; however we probably
should ignore and discard invalid attributes (i.e. attributes not conforming to
section 2.5. of RFC4512).

A noteworthy example is that right now slapd accepts "" (the empty string). 
Although there is no strong motivation for discarding non conforming requests
(and, as per RFC 3673 and RFC 4529, the production attributeSelector of Section
4.5.1.8. of RFC 4511 had to be extended, so this code should be updated whenever
that production is modified further), I think this change would be in the spirit
of OpenLDAP's slapd (i.e. liberal in accepting requests with invalid
productions, but strict in not letting them proceed further).

One case where an invalid production is causing problems downstream is in
accesslog, where the empty string is written as the value of a reqAttr, which is
invalid per the syntax of reqAttr which is an LDAPString.  As a consequence, a
slapcat of such an accesslog entry cannot be reloaded.

I am fixing accesslog otherwise, but probably invalid attributeselectors should
be filtered out when parsing search requests.

p.

Prev by Date: Re: (ITS#6652) accesslog anomaly in db drop/re-import
Next by Date: Re: (ITS#6652) accesslog anomaly in db drop/re-import
Index(es):
- Chronological
- Thread