|
 |
e79480 |
From 816175c782e708de8ae47d3788dba3a6ed0fe3d8 Mon Sep 17 00:00:00 2001
|
|
|
e79480 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
e79480 |
Date: Mon, 28 Oct 2019 11:01:33 -0400
|
|
|
e79480 |
Subject: [PATCH] CVE - deref plugin displays restricted attributes
|
|
|
e79480 |
|
|
|
e79480 |
Bug Description: If there is an ACI that allows "search" access to an attribute,
|
|
|
e79480 |
the deref plugin access control checks sees this is a "read"
|
|
|
e79480 |
privilege and returns the attribute's value.
|
|
|
e79480 |
|
|
|
e79480 |
Fix description: For deref plugin we are only concerned with "read" access, not
|
|
|
e79480 |
"search" access. Removed the SLAPI_ACL_SEARCH right flag when
|
|
|
e79480 |
checking access for an attribute.
|
|
|
e79480 |
|
|
|
e79480 |
Reviewed by: lkrispen
|
|
|
e79480 |
---
|
|
|
e79480 |
ldap/servers/plugins/deref/deref.c | 6 +++---
|
|
|
e79480 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
e79480 |
|
|
|
e79480 |
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
|
|
|
e79480 |
index cb5ebb830..ec1884ba3 100644
|
|
|
e79480 |
--- a/ldap/servers/plugins/deref/deref.c
|
|
|
e79480 |
+++ b/ldap/servers/plugins/deref/deref.c
|
|
|
e79480 |
@@ -573,7 +573,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
|
|
|
e79480 |
Slapi_Entry **entries = NULL;
|
|
|
e79480 |
int rc;
|
|
|
e79480 |
|
|
|
e79480 |
- /* If the access check on the attributes is done without retrieveing the entry
|
|
|
e79480 |
+ /* If the access check on the attributes is done without retrieving the entry
|
|
|
e79480 |
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
|
|
|
e79480 |
* So the determination of attrs which can be dereferenced is delayed
|
|
|
e79480 |
*/
|
|
|
e79480 |
@@ -596,7 +596,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
|
|
|
e79480 |
int ii;
|
|
|
e79480 |
int needattrvals = 1; /* need attrvals sequence? */
|
|
|
e79480 |
if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs,
|
|
|
e79480 |
- (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
|
|
|
e79480 |
+ SLAPI_ACL_READ)) {
|
|
|
e79480 |
slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
e79480 |
"deref_do_deref_attr - The client does not have permission to read the requested "
|
|
|
e79480 |
"attributes in entry %s\n",
|
|
|
e79480 |
@@ -714,7 +714,7 @@ deref_pre_entry(Slapi_PBlock *pb)
|
|
|
e79480 |
attrs[1] = NULL;
|
|
|
e79480 |
|
|
|
e79480 |
if (deref_check_access(pb, ent, NULL, attrs, &retattrs,
|
|
|
e79480 |
- (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
|
|
|
e79480 |
+ SLAPI_ACL_READ)) {
|
|
|
e79480 |
slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
e79480 |
"deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n",
|
|
|
e79480 |
spec->derefattr, slapi_entry_get_dn_const(ent));
|
|
|
e79480 |
--
|
|
|
e79480 |
2.21.0
|
|
|
e79480 |
|