[Date Prev][Date Next]
(ITS#6819) invalid attributes in search request
Full_Name: Pierangelo Masarati
Submission from: (NULL) (188.8.131.52)
Submitted by: ando
As per RFC4511 we ignore unknown attributes in search requests, and we handle
special attributes according to RFC 3673 and RFC 4529; however we probably
should ignore and discard invalid attributes (i.e. attributes not conforming to
section 2.5. of RFC4512).
A noteworthy example is that right now slapd accepts "" (the empty string).
Although there is no strong motivation for discarding non conforming requests
(and, as per RFC 3673 and RFC 4529, the production attributeSelector of Section
184.108.40.206. of RFC 4511 had to be extended, so this code should be updated whenever
that production is modified further), I think this change would be in the spirit
of OpenLDAP's slapd (i.e. liberal in accepting requests with invalid
productions, but strict in not letting them proceed further).
One case where an invalid production is causing problems downstream is in
accesslog, where the empty string is written as the value of a reqAttr, which is
invalid per the syntax of reqAttr which is an LDAPString. As a consequence, a
slapcat of such an accesslog entry cannot be reloaded.
I am fixing accesslog otherwise, but probably invalid attributeselectors should
be filtered out when parsing search requests.