OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/5198
Full headers

From: peter.gietz@daasi.de
Subject: wrong SQL-Statements in Back-SQL
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 23 Oct 2007 14:21:11 GMT
From: peter.gietz@daasi.de
To: openldap-its@OpenLDAP.org
Subject: wrong SQL-Statements in Back-SQL
Full_Name: Peter Gietz
Version: 2.3.38
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.154.95.209)


This bug report was given to me at the OpenLDAP booth on the Systems in Munich.

SQL search-statements are wrong because of a strange OR condition: 
"(2=2 OR (ldap_entries.id=ldap_entry_objclasses.entry_id AND
ldap_entry_objclasses.oc_name='"

So instead of a subset, all data are included in the response. Thats what the
guy, who was too lazy to make the bug report himself told me. He also told me
that he patched his code (by deleting the condition (2=2)  and is happy for
now.

If you think this is a bug, please repair.

I found this in the source code (.../slapd/back-sql/search.c (lines 780-805): 
(not sure if this is the only occurance)


			/*
			 * "structural" objectClass inheritance:
			 * - a search for "person" will also return 
			 *   "inetOrgPerson"
			 * - a search for "top" will return everything
			 */
 			if ( is_object_subclass( oc, bsi->bsi_oc->bom_oc ) ) {
				static struct berval ldap_entry_objclasses = BER_BVC(
"ldap_entry_objclasses" );

				backsql_merge_from_tbls( bsi, &ldap_entry_objclasses );

				backsql_strfcat_x( &bsi->bsi_flt_where,
						bsi->bsi_op->o_tmpmemctx,
						"lbl",
						(ber_len_t)STRLENOF( "(2=2 OR
(ldap_entries.id=ldap_entry_objclasses.entry_id AND
ldap_entry_objclasses.oc_name='" /* ')) */ ),
							"(2=2 OR (ldap_entries.id=ldap_entry_objclasses.entry_id AND
ldap_entry_objclasses.oc_name='" /* ')) */,
						&bsi->bsi_oc->bom_oc->soc_cname,
						(ber_len_t)STRLENOF( /* ((' */ "'))" ),
							/* ((' */ "'))" );
				bsi->bsi_status = LDAP_SUCCESS;
				rc = 1;
				goto done;
			}

			break;
		}




Followup 1

Download message
Date: Wed, 24 Oct 2007 10:18:12 +0200
From: Pierangelo Masarati <ando@sys-net.it>
To: peter.gietz@daasi.de
CC: openldap-its@openldap.org
Subject: Re: (ITS#5198) wrong SQL-Statements in Back-SQL
peter.gietz@daasi.de wrote:

> This bug report was given to me at the OpenLDAP booth on the Systems in
Munich.
> 
> SQL search-statements are wrong because of a strange OR condition: 
> "(2=2 OR (ldap_entries.id=ldap_entry_objclasses.entry_id AND
> ldap_entry_objclasses.oc_name='"
> 
> So instead of a subset, all data are included in the response.

It is not a bug, but rather an easy means to indicate that the whole
data should be returned to the frontend in order to filter it the LDAP
way, since sub-classing might be involved.  If that user doesn't want
searches for (objectClass=person) to return objects with
objectClass=inetOrgPerson, then he shouldn't be using LDAP.

> Thats what the
> guy, who was too lazy to make the bug report himself told me. He also told
me
> that he patched his code (by deleting the condition (2=2)  and is happy for
> now.

Well, you see: open source software makes people happy.

As a side note, usually, well-designed RDBMSes understand that 2=2 is
always true and do not proceed any further in evaluating other clauses
in the OR.  For those RDBMSes this causes a performance degradation
(and, I insist, it would be the RDBMS' fault) the only **improvement**
to OpenLDAP's back-sql (no bug) could consist in detecting that
condition ourselves and omit that part of the WHERE clause entirely.
But this would probably require to rewrite the filter translation layer,
and it's not something I plan to do any soon (unless rewarded enough to
distract me from other issues, I mean).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org