andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0021-Ticket-47922-dynamically-added-macro-aci-is-not-eval.patch

f92ce9
From 0a1e9e51568d5caea0b97d79773dbc9f5a900ab3 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Fri, 10 Oct 2014 11:50:13 -0700
f92ce9
Subject: [PATCH 21/21] Ticket #47922 - dynamically added macro aci is not
f92ce9
 evaluated on the fly
f92ce9
f92ce9
Bug Description: When macro aci is dynamically added and if the aci's
f92ce9
macro target dn is not normalized, the following operation that requires
f92ce9
the aci could fail with Insufficient access since matching the target dn
f92ce9
and the macro target dn fails since the code expects normalized macro
f92ce9
target dn.
f92ce9
f92ce9
Fix Description: Before setting the macro target dn, process the dn by
f92ce9
slapi_create_dn_string_case.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47922
f92ce9
f92ce9
Reviewed by lkrispen@redhat.com and rmeggins@redhat.com (Thank you, Ludwig and Rich!!)
f92ce9
f92ce9
(cherry picked from commit 07c1bc25508a9c1e71dd8e717fd4ce455ddfeff0)
f92ce9
(cherry picked from commit c6b397c8466fd0859c5404c946a82f240564076e)
f92ce9
---
f92ce9
 ldap/servers/plugins/acl/aclparse.c | 19 +++++++++++++------
f92ce9
 ldap/servers/plugins/acl/aclutil.c  |  2 +-
f92ce9
 2 files changed, 14 insertions(+), 7 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
f92ce9
index ea64fa7..be86c8b 100644
f92ce9
--- a/ldap/servers/plugins/acl/aclparse.c
f92ce9
+++ b/ldap/servers/plugins/acl/aclparse.c
f92ce9
@@ -1849,9 +1849,9 @@ static int
f92ce9
 acl_check_for_target_macro( aci_t *aci_item, char *value)
f92ce9
 {
f92ce9
 
f92ce9
-	char			*str = NULL;
f92ce9
+	char *str = NULL;
f92ce9
 
f92ce9
-	str = strstr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);	
f92ce9
+	str = PL_strcasestr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);
f92ce9
 	
f92ce9
 	if (str != NULL) {
f92ce9
 		char *p0 = NULL, *p1 = NULL;
f92ce9
@@ -1871,10 +1871,17 @@ acl_check_for_target_macro( aci_t *aci_item, char *value)
f92ce9
 		aci_item->aci_type &= ~ACI_TARGET_DN;
f92ce9
 		aci_item->aci_type |= ACI_TARGET_MACRO_DN;
f92ce9
 		aci_item->aci_macro = (aciMacro *)slapi_ch_malloc(sizeof(aciMacro));
f92ce9
-		aci_item->aci_macro->match_this = slapi_ch_strdup(value);
f92ce9
-		aci_item->aci_macro->macro_ptr = strstr( aci_item->aci_macro->match_this,
f92ce9
-												 ACL_TARGET_MACRO_DN_KEY);
f92ce9
-		return(1);											
f92ce9
+		/* Macro dn needs to normalize. E.g., "ou=Groups, ($dN), dn=example,dn=com" */
f92ce9
+		aci_item->aci_macro->match_this = slapi_create_dn_string_case("%s", value);
f92ce9
+		if (NULL == aci_item->aci_macro->match_this) {
f92ce9
+			slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
f92ce9
+			                "acl_check_for_target_macro: Error: Invalid macro target dn: \"%s\"\n", value);
f92ce9
+			aci_item->aci_type &= ~ACI_TARGET_MACRO_DN;
f92ce9
+			slapi_ch_free((void **)&aci_item->aci_macro);
f92ce9
+			return -1;
f92ce9
+		}
f92ce9
+		aci_item->aci_macro->macro_ptr = PL_strcasestr(aci_item->aci_macro->match_this, ACL_TARGET_MACRO_DN_KEY);
f92ce9
+		return(1);
f92ce9
 	}
f92ce9
 
f92ce9
 	return(0);
f92ce9
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
f92ce9
index e865a95..0720dae 100644
f92ce9
--- a/ldap/servers/plugins/acl/aclutil.c
f92ce9
+++ b/ldap/servers/plugins/acl/aclutil.c
f92ce9
@@ -785,7 +785,7 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
f92ce9
 	macro_prefix = slapi_ch_strdup(match_this);
f92ce9
 	
f92ce9
 	/* we know it's got a $(dn) */
f92ce9
-	tmp_ptr = strstr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
f92ce9
+	tmp_ptr = PL_strcasestr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
f92ce9
 	if (!tmp_ptr) {
f92ce9
 		LDAPDebug(LDAP_DEBUG_ACL,"acl_match_macro_in_target: "
f92ce9
 				"Target macro DN key \"%s\" not found in \"%s\".\n",
f92ce9
-- 
f92ce9
1.9.3
f92ce9