[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Possible bug in acl.c
- To: openldap-devel@openldap.org
- Subject: Possible bug in acl.c
- From: Kean Johnston <kean.johnston@gmail.com>
- Date: Tue, 13 Apr 2010 07:46:34 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type; bh=4c7KBasojNklSmIom4i+roVLfXhQGNA5h9jBUz/xgAI=; b=a/TOULkIjv1xqCwZwOyQFlAS2a9ZA65iPK4nys4zsEKs7tfLmTb2ernoFSHmNa4nUe o1QrXd3b49sa+GV6vTiaeUIgVY02fViI+uK/+PfnrrwjAUxy+C+GrWoqA9QA/muAILQ+ 59YQxjHukvHbC+qf5o8KsHfNPlSuDPWtxr5II=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; b=IwoxTLEzEcZNgwf3+AZWNRjCz+6wvtf1BEPGJVmiXZATzI1tJXG+DSahf4rIRXYrID XkDUje/slsieIm1wa2ypeCAhUz8HLUeAs0lad7lb75i/fwTSWDloLSeUlxYVGMvni+Io JudsRrrEwu8knpS/p+LA10ChEZh7+h2WePtTk=
- User-agent: Thunderbird 2.0.0.24 (Windows/20100228)
Assumption: the following ACL should result in $0 being expanded for the set:
access to dn.one="ou=hosts,dc=example,dc=com" attrs=authorizedService
by set.expand="[cn=access,$0]/member* & user" compare
by * =rsdx break
Reason for assumption: man slapd.access states:
Forms of the <what> clause other than regex may provide submatches as
well. The base(object), the sub(tree), the one(level), and the chil-
dren forms provide $0 as the match of the entire string. The
sub(tree), the one(level), and the children forms also provide $1 as
the match of the rightmost part of the DN as defined in the <what>
clause.
Bug: does not work as expected. The reason is that in slap.h slap_style_t
starts with ACL_STYLE_REGEX = 0, so any structure that uses slap_style_t
and uses memset to null out the structure will have its default style be
ACL_STYLE_REGEX. In acl.c there are 4 places where you test for
ACL_STYLE_REGEX on a->acl_attrval_style without checking if an actual
attribute value was supplied. The patch below fixes those cases. The better
(arguably) fix would be to change slap_style_t to start with ACL_STYLE_NONE
= 0, and then explicitly set the style when it is encountered in
aclparse.c. However, I did not want to change slap.h in case it changes
some ABI and the change to aclparse.c is larger.
As things currently stand, dn.expand, set.expand and group.expand will not
expand $0 and $1 as documented if you use dn.{base,one,sub,children} in the
what clause.
If my assumptions are correct and this should work, I will file a proper
bug in ITS.
Kean
--- acl.c.jkj 2010-04-13 07:06:12.000000000 -0500
+++ acl.c 2010-04-13 07:09:56.000000000 -0500
@@ -794,7 +794,8 @@
MATCHES_MEMSET( &tmp_matches );
tmp_data = &tmp_matches.dn_data[0];
- if ( a->acl_attrval_style == ACL_STYLE_REGEX )
+ if ( a->acl_attrval.bv_len &&
+ ( a->acl_attrval_style == ACL_STYLE_REGEX ) )
tmp_matchesp = matches;
else switch ( a->acl_dn_style ) {
case ACL_STYLE_REGEX:
@@ -861,7 +862,8 @@
bv.bv_val = buf;
/* Expand value regex */
- if ( a->acl_attrval_style == ACL_STYLE_REGEX )
+ if ( a->acl_attrval.bv_len &&
+ ( a->acl_attrval_style == ACL_STYLE_REGEX ) )
tmp_matchesp = matches;
else switch ( a->acl_dn_style ) {
case ACL_STYLE_REGEX:
@@ -1548,7 +1550,8 @@
rc = 0;
- if ( a->acl_attrval_style == ACL_STYLE_REGEX )
+ if ( a->acl_attrval.bv_len &&
+ ( a->acl_attrval_style == ACL_STYLE_REGEX ) )
tmp_matchesp = matches;
else switch ( a->acl_dn_style ) {
case ACL_STYLE_REGEX:
@@ -1638,7 +1641,8 @@
rc = 0;
- if ( a->acl_attrval_style == ACL_STYLE_REGEX )
+ if ( a->acl_attrval.bv_len &&
+ ( a->acl_attrval_style == ACL_STYLE_REGEX ) )
tmp_matchesp = matches;
else switch ( a->acl_dn_style ) {
case ACL_STYLE_REGEX: