Issue 664 - servers/slapd/sasl.c username's strpbrk
Summary: servers/slapd/sasl.c username's strpbrk
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2000-08-15 21:03 UTC by mei@isi.edu
Modified: 2014-08-01 21:05 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Kurt Zeilenga 2000-08-15 18:38:02 UTC 
changed notes
changed state Open to Suspended
moved from Incoming to Development
Comment 1 mei@isi.edu 2000-08-15 21:03:50 UTC 
Full_Name: mei-hui su
Version: openldap 2.0 latest
OS: solaris 2.7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.9.64.206)


Hi,

  In servers/slapd/sasl.c around line #475

                        } else if ( username[0] == 'u' && username[1] == ':'
                                && username[2] != '\0'
                                && strpbrk( &username[2], "=,;\"\\") == NULL )
<<--

  the strpbrk should not check for '=' because it is possible to have userid
with
'=' as part of attributeTypeAndValue. For example, X.509 userids (i.e. subject
names).

mei
Comment 2 Kurt Zeilenga 2000-08-15 21:44:43 UTC 
The strpbrk is used to ensure that a valid DN is produce.
The code probably should escape the value as necessary
(of course, this makes for uglier regex'ing).  Mark is
working in this area, I'll leave it to him to sort out
a reason path.  You may want to comment on his proposal
(on the devel list).

Kurt
Comment 3 Kurt Zeilenga 2000-09-02 15:05:29 UTC 
moved from Development to Software Enhancements
Comment 4 Kurt Zeilenga 2000-09-06 10:23:01 UTC 
moved from Software Enhancements to Development
Comment 5 Kurt Zeilenga 2000-09-21 17:14:25 UTC 
changed notes
changed state Suspended to Closed
Comment 6 OpenLDAP project 2014-08-01 21:05:27 UTC 
Authzid code replaced