OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7271
Full headers

From: wking@tremily.us
Subject: Don't clobber SASL_NOCANON in clients/tools/common.c
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Sun, 13 May 2012 01:15:29 +0000
From: wking@tremily.us
To: openldap-its@OpenLDAP.org
Subject: Don't clobber SASL_NOCANON in clients/tools/common.c
Full_Name: W. Trevor King
Version: git commit 22bf5188
OS: Gentoo
URL: http://blog.tremily.us/posts/LDAP/tool-nocanon.patch
Submission from: (NULL) (72.68.88.202)


The ldap.conf SASL_NOCANON configuration option (or LDAPSASL_NOCANON environment
variable) should set the default behaviour for OpenLDAP tools such as
ldapwhoami.  This configuration option should allow users to use the tools
without having to use the matching command line option (-N).  Unfortunately, the
current code sets the option to true/false after only querying the command line
option.

I'm linking to a patch that looks at the current value of the option first, and
if it's true, skips processing the command line option (which would either be a
redundant -N keeping the option true, or an absence of -N which implies the user
wants to use the configured value (true)).

Another approach would be to set the initial value of nocanon to UNINITIALIZED
(-1?).  Command line arguments could set nocanon to 1 (true, -N) or false (0,
--canon?).  Then we would only call ldap_set_option if nocanon was not
UNINITIALIZED.

I can work up a patch using this second approach if people prefer.  If so, let
me know if you want me to define UNINITIALIZED, or to just use -1.

I didn't check, but I would not be surprised if this same clobbering occurred
for other command line options.

Followup 1

Download message
Date: Sat, 12 May 2012 21:27:48 -0400
From: "W. Trevor King" <wking@tremily.us>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
--DKU6Jbt7q3WqK7+M
Content-Type: multipart/mixed; boundary="Nq2Wo0NMKNjxTN9z"
Content-Disposition: inline


--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I forgot to add the notice to the patch I just submitted.  Here's the
notice:


The attached patch file is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by W. Trevor King wking@tremily.us. I have
not assigned rights and/or interest in this work to any party.

I, W. Trevor King, hereby place the following modifications to
OpenLDAP Software (and only these modifications) into the public
domain. Hence, these modifications may be freely used and/or
redistributed for any purpose with or without attribution and/or other
notice.


I've attached the patch again, since that matches the language in the
notice.

Cheers,
Trevor

--=20
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tool-nocanon.patch"
Content-Transfer-Encoding: quoted-printable

ITS#7271 fix SASL_NOCANON clobbering in tools/common.c.

diff --git a/clients/tools/common.c b/clients/tools/common.c
index 9c98b62..9868658 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1214,6 +1214,7 @@ LDAP *
 tool_conn_setup( int dont, void (*private_setup)( LDAP * ) )
 {
 	LDAP *ld =3D NULL;
+	int i;
=20
 	if ( debug ) {
 		if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug )
@@ -1410,13 +1411,22 @@ dnssrv_free:;
=20
 #ifdef HAVE_CYRUS_SASL
 		/* canon */
-		if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
-			nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) !=3D LDAP_OPT_SUCCESS )
+		if( ldap_get_option( ld, LDAP_OPT_X_SASL_NOCANON, &i )
+			!=3D LDAP_OPT_SUCCESS )
 		{
-			fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
-				nocanon ? "on" : "off" );
+			fprintf( stderr, "Could not get LDAP_OPT_X_SASL_NOCANON\n" );
 			tool_exit( ld, EXIT_FAILURE );
 		}
+		if (!i) {
+			fprintf( stderr, "Set NOCANON to %s\n", nocanon ? "on" : "off" );
+			if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
+				nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) !=3D LDAP_OPT_SUCCESS )
+			{
+				fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
+					nocanon ? "on" : "off" );
+				tool_exit( ld, EXIT_FAILURE );
+			}
+		}  /* otherwise SASL_NOCANON already set to true (e.g. via ~/.ldaprc) */
 #endif
 		if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
 			!=3D LDAP_OPT_SUCCESS )

--Nq2Wo0NMKNjxTN9z--

--DKU6Jbt7q3WqK7+M
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJPrw4RAAoJEPe7CdOcrcTZAiUH/RJN9EcOW0HdIr60/vrHQ01r
et05+CMhoSM9OQST7KxVz0IOA0tzgIu6y7KHFSirUFOmb8KNyS+u0uI2b4OMINoF
0qVHo3Ed4gYYQtc9TsTPOTNw0/HfRwiLxYHh6Xrmeq0Z9o+rL1wsFoEwVBQTXc4W
3xsYtjoyRFK5KbmMw+iA1zsIWOTD9cs+PqQ0EWDXl2ptMHjhrBOs8/Demi495UA7
iCmrPbD8uv8T5NMCiqIB3yOkyrX2+0wLsLVO/B21qTb8swFOrSFjlACZ4SjvVYmy
ZJ6njl7vu0h7vPF12Z+NQW5xMFCYz6wbesrhCNbj0k7eJ5gbD+Zd2tP8VQOS3C4=
=9g7U
-----END PGP SIGNATURE-----

--DKU6Jbt7q3WqK7+M--



Followup 2

Download message
Date: Wed, 30 May 2012 06:14:38 -0700
From: Howard Chu <hyc@symas.com>
To: wking@tremily.us
CC: openldap-its@openldap.org
Subject: Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
wking@tremily.us wrote:
> Full_Name: W. Trevor King
> Version: git commit 22bf5188
> OS: Gentoo
> URL: http://blog.tremily.us/posts/LDAP/tool-nocanon.patch
> Submission from: (NULL) (72.68.88.202)
>
>
> The ldap.conf SASL_NOCANON configuration option (or LDAPSASL_NOCANON
environment
> variable) should set the default behaviour for OpenLDAP tools such as
> ldapwhoami.  This configuration option should allow users to use the tools
> without having to use the matching command line option (-N). 
Unfortunately, the
> current code sets the option to true/false after only querying the command
line
> option.
>
> I'm linking to a patch that looks at the current value of the option first,
and
> if it's true, skips processing the command line option (which would either
be a
> redundant -N keeping the option true, or an absence of -N which implies the
user
> wants to use the configured value (true)).
>
> Another approach would be to set the initial value of nocanon to
UNINITIALIZED
> (-1?).  Command line arguments could set nocanon to 1 (true, -N) or false
(0,
> --canon?).  Then we would only call ldap_set_option if nocanon was not
> UNINITIALIZED.
>
> I can work up a patch using this second approach if people prefer.  If so,
let
> me know if you want me to define UNINITIALIZED, or to just use -1.
>
> I didn't check, but I would not be surprised if this same clobbering
occurred
> for other command line options.

The only other boolean command line option is referrals, which is deprecated 
and has been undocumented for years. Not worth bothering over.

Ideally the command line option should have been able to set this explicitly 
to both true and false, to allow complete control over the option. But I'm not 
particularly concerned either way. Since the option currently can only be set 
to true, it would be sufficient to just check for nocanon != 0 before calling 
ldap_set_option.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/




Followup 3

Download message
Date: Wed, 30 May 2012 11:25:26 -0400
From: "W. Trevor King" <wking@tremily.us>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
Subject: Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
--oLBj+sq0vYjzfsbl
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline


--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote:
> Ideally the command line option should have been able to set this
> explicitly to both true and false, to allow complete control over
> the option. But I'm not particularly concerned either way. Since the
> option currently can only be set to true, it would be sufficient to
> just check for nocanon !=3D 0 before calling ldap_set_option.

My personal goal here is to not need to bother with command line
options, so I'm fine with this less general solution.  Another patch
(only set the option with an explicit `-N`) attached.

---
The attached patch file is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by W. Trevor King wking@tremily.us. I have
not assigned rights and/or interest in this work to any party.

I, W. Trevor King, hereby place the following modifications to
OpenLDAP Software (and only these modifications) into the public
domain. Hence, these modifications may be freely used and/or
redistributed for any purpose with or without attribution and/or other
notice.

--=20
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tool-nocanon.patch"
Content-Transfer-Encoding: quoted-printable

diff --git a/clients/tools/common.c b/clients/tools/common.c
index 9c98b62..e928fb2 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1410,12 +1410,13 @@ dnssrv_free:;
=20
 #ifdef HAVE_CYRUS_SASL
 		/* canon */
-		if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
-			nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) !=3D LDAP_OPT_SUCCESS )
-		{
-			fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
-				nocanon ? "on" : "off" );
-			tool_exit( ld, EXIT_FAILURE );
+		if( nocanon ) {
+			if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
+				LDAP_OPT_ON ) !=3D LDAP_OPT_SUCCESS )
+			{
+				fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON on\n" );
+				tool_exit( ld, EXIT_FAILURE );
+			}
 		}
 #endif
 		if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )

--yrj/dFKFPuw6o+aM--

--oLBj+sq0vYjzfsbl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJPxjviAAoJEEUbTsx0l5OM4+AQALnDBr4YL5g8BIgsU7Fvea1O
3cCh+arj8S3mFsltqKnvOZTRqnPp9yafmCKzLnb8DP3xstXFwF3A/J1o8+Ptzi9d
v5EbYd/+jUp1kQBAQHclS87OwjijgHuZtRZxcJXbh4CrV7T/FG6byiVvpFpxR06O
ug306vFhqhBk1FpbUJU+R0u7gzUaTjhW4O/RE9kPEaqnkSSfd+NuCF1L8ZHzmAOc
xA8gJgUVP5GOgfrZeoQjuyO+mGOVpHPjcybs1VThyhbLWwPKb/RExdTa/0x+A/p8
hVlM9C9SGr1UC3QQaboSON0rhP4UjHc/HCA53Ijgw+vCr0KiaUDjaiG83ydj0EfY
Q71IF/PY286lUCLorw1ZJqtAP1dRbpWCk+45A4ZoMR6zWgUUX1L27v7gD5pUQZWW
J85OU8D1OFuH1tYNXp+6VgiQpO5ofwQTaQo2puVOjwGpgjCjl1g69kWLjle9JvEv
cRZ9wuT3rfVc9Ujv/Tqirw6cy+1QJopKjRlHcV1RX6j34RFBfc9qwcM/3BC1sMGD
2IDRte87sUAq+i3bM43iFujTI9AwUd3pAP/9x2D7tnrr4t5ixV+MBtaNmWtblBos
XHeReDSakxipIfBxJtQTSTeKrb7VPS4d7RpUEg5etXLIxVaJyVpSTl0G3b8tWwC0
yZySTz5NthLULma8573R
=lyIG
-----END PGP SIGNATURE-----

--oLBj+sq0vYjzfsbl--



Followup 4

Download message
Date: Wed, 30 May 2012 09:41:07 -0700
From: Howard Chu <hyc@symas.com>
To: "W. Trevor King" <wking@tremily.us>
CC: openldap-its@openldap.org
Subject: Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
W. Trevor King wrote:
> On Wed, May 30, 2012 at 06:14:38AM -0700, Howard Chu wrote:
>> Ideally the command line option should have been able to set this
>> explicitly to both true and false, to allow complete control over
>> the option. But I'm not particularly concerned either way. Since the
>> option currently can only be set to true, it would be sufficient to
>> just check for nocanon != 0 before calling ldap_set_option.
>
> My personal goal here is to not need to bother with command line
> options, so I'm fine with this less general solution.  Another patch
> (only set the option with an explicit `-N`) attached.
>
> ---
> The attached patch file is derived from OpenLDAP Software. All of the
> modifications to OpenLDAP Software represented in the following
> patch(es) were developed by W. Trevor King wking@tremily.us. I have
> not assigned rights and/or interest in this work to any party.
>
> I, W. Trevor King, hereby place the following modifications to
> OpenLDAP Software (and only these modifications) into the public
> domain. Hence, these modifications may be freely used and/or
> redistributed for any purpose with or without attribution and/or other
> notice.
>
Thanks, added to master.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org