Logged in as guest
Viewing Development/6645 Full headers
Major security issue: yes no
Notes: Added to HEAD Added to RE24 Notification:
Date: Thu, 09 Sep 2010 17:39:55 +0000 From: masarati@aero.polimi.it To: openldap-its@OpenLDAP.org Subject: Yet Another LDIF Wrap Patch
Full_Name: Pierangelo Masarati Version: HEAD/re24 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-09-09-ldif-wrap.1.patch Submission from: (NULL) (129.72.165.135) Submitted by: ando The subject should be self-explanatory. It is only exploited by slapcat, via the -o ldif-wrap=<n> option (<n> < 0: default; <n> == 0: no wrap; <n> > 0: wrap value); extending ldapsearch is trivial. I'm *NOT* going to commit this unless there is unanimous consensus ;) Enjoy. p.
Date: Thu, 09 Sep 2010 14:51:49 -0700 From: Howard Chu <hyc@symas.com> To: masarati@aero.polimi.it CC: openldap-its@openldap.org Subject: Re: (ITS#6645) Yet Another LDIF Wrap Patch
masarati@aero.polimi.it wrote: > Full_Name: Pierangelo Masarati > Version: HEAD/re24 > OS: irrelevant > URL: ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-09-09-ldif-wrap.1.patch > Submission from: (NULL) (129.72.165.135) > Submitted by: ando > > > The subject should be self-explanatory. It is only exploited by slapcat, via > the -o ldif-wrap=<n> option (<n> < 0: default;<n> == 0: no wrap;<n> > 0: wrap > value); extending ldapsearch is trivial. > > I'm *NOT* going to commit this unless there is unanimous consensus ;) Not thrilled with the magic constant 2^31-1. Seems like you should have just used "if ( wrap && len > wrap )" instead of a word-size-dependent magic. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Fri, 10 Sep 2010 00:04:06 +0200 (CEST) Subject: Re: (ITS#6645) Yet Another LDIF Wrap Patch From: masarati@aero.polimi.it To: hyc@symas.com Cc: openldap-its@openldap.org
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-09-09-ldif-wrap.2.patch> :)
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Date: Fri, 10 Sep 2010 19:30:22 +0200 To: hyc@symas.com Cc: openldap-its@openldap.org Subject: Re: (ITS#6645) Yet Another LDIF Wrap Patch
hyc@symas.com writes: > Not thrilled with the magic constant 2^31-1. Seems like you should have just > used "if ( wrap && len > wrap )" instead of a word-size-dependent magic. The code just needs to be a little less clever:-) Pass -1 to a 'ber_len_t wrap'. The constant (ber_len_t)-1 will prevent wrapping: "if (len > (ber_len_t)-1)" always fails. But if we are going to have smarter LDIF output, I'm more interested in an option to avoid base64 encoding of valid UTF-8 strings. Also one to force base64-encoding for caller-specified attributes. Or just a bitflag to ldif_sput() after the caller checks the attribute type. -- Hallvard
Date: Fri, 10 Sep 2010 19:48:04 +0200 (CEST) Subject: Re: (ITS#6645) Yet Another LDIF Wrap Patch From: masarati@aero.polimi.it To: h.b.furuseth@usit.uio.no Cc: openldap-its@openldap.org
> hyc@symas.com writes: >> Not thrilled with the magic constant 2^31-1. Seems like you should have >> just >> used "if ( wrap && len > wrap )" instead of a word-size-dependent magic. > > The code just needs to be a little less clever:-) Pass -1 to a > 'ber_len_t wrap'. The constant (ber_len_t)-1 will prevent wrapping: > "if (len > (ber_len_t)-1)" always fails. Thanks. > But if we are going to have smarter LDIF output, I'm more interested in > an option to avoid base64 encoding of valid UTF-8 strings. Also one > to force base64-encoding for caller-specified attributes. Or just > a bitflag to ldif_sput() after the caller checks the attribute type. See ldif_must_b64_encode_register() :) We already use it to force encoding of olcRootPW and other password-like attrs in proxy backends. p.
Date: Fri, 10 Sep 2010 21:41:09 +0200 (CEST) Subject: Re: (ITS#6645) Yet Another LDIF Wrap Patch From: masarati@aero.polimi.it To: h.b.furuseth@usit.uio.no Cc: openldap-its@openldap.org
> hyc@symas.com writes: >> Not thrilled with the magic constant 2^31-1. Seems like you should have >> just >> used "if ( wrap && len > wrap )" instead of a word-size-dependent magic. > > The code just needs to be a little less clever:-) Pass -1 to a > 'ber_len_t wrap'. The constant (ber_len_t)-1 will prevent wrapping: > "if (len > (ber_len_t)-1)" always fails. <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-09-09-ldif-wrap.3.patch> Includes documentation. Thanks for checking this. p.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
