From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Dec 2013 17:13:55 -0500
Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL
mechanism in nsslapd-allowed-sasl-mechanisms
Bug Description: Invalid values could be specified in the allowed sasl mechanisms configuration
attribute. These values are directly passed to the sasl library.
Fix Description: Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,
digits, hyphens, or underscores.
https://fedorahosted.org/389/ticket/47614
Reviewed by: richm(Thanks!)
(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132)
(cherry picked from commit f00321f892545d59e07c1a944936153660640e47)
---
ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b925a2c..a763135 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,
static int config_set_schemareplace ( const char *attrname, char *value,
char *errorbuf, int apply );
static void remove_commas(char *str);
+static int invalid_sasl_mech(char *str);
/* Keeping the initial values */
/* CONFIG_INT/CONFIG_LONG */
@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
/* cyrus sasl doesn't like comma separated lists */
remove_commas(value);
+ if(invalid_sasl_mech(value)){
+ LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s). Use ASCII "
+ "characters, upto 20 characters, that are upper-case letters, "
+ "digits, hyphens, or underscores\n", value, 0, 0);
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -7452,3 +7460,55 @@ remove_commas(char *str)
}
}
}
+
+/*
+ * Check the SASL mechanism values
+ *
+ * As per RFC 4422:
+ * SASL mechanisms are named by character strings, from 1 to 20
+ * characters in length, consisting of ASCII [ASCII] uppercase letters,
+ * digits, hyphens, and/or underscores.
+ */
+static int
+invalid_sasl_mech(char *str)
+{
+ char *mech = NULL, *token = NULL, *next = NULL;
+ int i;
+
+ if(str == NULL){
+ return 0;
+ }
+
+ /*
+ * Check the length for each mechanism
+ */
+ token = slapi_ch_strdup(str);
+ for (mech = ldap_utf8strtok_r(token, " ", &next); mech;
+ mech = ldap_utf8strtok_r(NULL, " ", &next))
+ {
+ if(strlen(mech) == 0 || strlen(mech) > 20){
+ /* invalid length */
+ slapi_ch_free_string(&token);
+ return 1;
+ }
+ }
+ slapi_ch_free_string(&token);
+
+ /*
+ * Check the individual characters
+ */
+ for (i = 0; str[i]; i++){
+ if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */
+ ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */
+ (int)str[i] != 32 && /* not a space (between mechanisms) */
+ (int)str[i] != 45 && /* not a hyphen */
+ (int)str[i] != 95 ) /* not an underscore */
+ {
+ /* invalid character */
+ return 1;
+ }
+ }
+
+ /* Mechanism value is valid */
+ return 0;
+}
--
1.8.1.4