diff options
author | Noriko Hosoi <nhosoi@redhat.com> | 2010-04-26 11:03:52 -0700 |
---|---|---|
committer | Noriko Hosoi <nhosoi@redhat.com> | 2010-04-26 11:03:52 -0700 |
commit | 78c50664d6421cc5d0836bb03820680dc2cb7acf (patch) | |
tree | 20fcfadad9057617daa0b159216f0a92006969f5 /ldap/servers/plugins | |
parent | 4754291972668c37559a8f68d75ac6f8c477efb8 (diff) | |
download | ds-78c50664d6421cc5d0836bb03820680dc2cb7acf.tar.gz ds-78c50664d6421cc5d0836bb03820680dc2cb7acf.tar.xz ds-78c50664d6421cc5d0836bb03820680dc2cb7acf.zip |
Update to New DN Format
Fix Description:
. adding slapi_dn_normalize_ext and its siblings to normalize/validate
invalid DNs; deprecating slapi_dn_normalize and its siblings. (dn.c)
. replacing slapi_dn_normalize with new corresponding functions.
. normalizing hardcoded DNs (e.g., removing spaces around ',')
. setting correct DN syntax to nsslapd-suffix, nsslapd-ldapiautodnsuffix,
costemplatedn, nsslapd-changelogsuffix, nsBaseDN, nsBindDN
. if nsslapd-dn-validate-strict is enabled, incoming DN is examined and
rejected if it is invalid. Once approved, the DN is normalized.
. fixing compiler warnings and typos.
See also:
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format
Related bugs:
Bug 199923 - subtree search fails to find items under a db containing special
characters
Bug 567968 - subtree/user level password policy created using 389-ds-console
doesn't work.
Bug 570107 - The import of LDIFs with base-64 encoded DNs fails, modrdn with
non-ASCII new rdn incorrect
Bug 570962 - ns-inactivate.pl does not work
Bug 572785 - DN syntax: old style of DN <type>="<DN>",<the_rest> is not
correctly normalized
Bug 573060 - DN normalizer: ESC HEX HEX is not normalized
Bug 574167 - An escaped space at the end of the RDN value is not handled
correctly
Diffstat (limited to 'ldap/servers/plugins')
33 files changed, 1001 insertions, 382 deletions
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index aa22d566..715ad1ea 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -358,8 +358,8 @@ acl_access_allowed( if (oid && ((strcasecmp(oid, DN_SYNTAX_OID) == 0) || (strcasecmp(oid, NAMEANDOPTIONALUID_SYNTAX_OID) == 0))) { /* should use slapi_sdn_compare() but that'a an extra malloc/free */ - char *dn_val_to_write = slapi_dn_normalize(slapi_ch_strdup(val->bv_val)); - if ( aclpb->aclpb_authorization_sdn && + char *dn_val_to_write = slapi_create_dn_string("%s", val->bv_val); + if ( dn_val_to_write && aclpb->aclpb_authorization_sdn && slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP) slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { access |= SLAPI_ACL_SELF; @@ -754,9 +754,10 @@ static void print_access_control_summary( char *source, int ret_val, char *clien if ( aclpb->aclpb_authorization_sdn != NULL ) { - proxy_user = (char *)(aclpb->aclpb_authorization_sdn->ndn ? - aclpb->aclpb_authorization_sdn->ndn: - null_user); + proxy_user = + (char *)(slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)? + slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn): + null_user); slapi_log_error(loglevel, plugin_name, "conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to proxy (%s)" @@ -1764,8 +1765,7 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) if (parent_DN == NULL) { new_DN = new_RDN; } else { - new_DN = slapi_ch_smprintf("%s,%s", new_RDN, parent_DN); - slapi_dn_normalize (new_DN); + new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); } /* Change the acls */ @@ -2028,8 +2028,7 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * ** We have a single ACI which we need to find if it applies to ** the resource or not. */ - if ((aci->aci_type & ACI_TARGET_DN) && - (aclpb->aclpb_curr_entry_sdn)) { + if ((aci->aci_type & ACI_TARGET_DN) && (aclpb->aclpb_curr_entry_sdn)) { char *avaType; struct berval *avaValue; @@ -2246,10 +2245,10 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * * */ - if ((aclpb->aclpb_access & SLAPI_ACL_ADD && - aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS )|| - (aclpb->aclpb_access & SLAPI_ACL_DELETE && - aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS ) ) { + if (((aclpb->aclpb_access & SLAPI_ACL_ADD) && + (aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS) )|| + ((aclpb->aclpb_access & SLAPI_ACL_DELETE) && + (aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS) ) ) { Targetattrfilter **attrFilterArray; @@ -2367,10 +2366,10 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * goto acl__resource_match_aci_EXIT; } - } else if ( (aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD && - aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS) || - (aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL && - aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS ) ) { + } else if ( ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) && + (aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) || + ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL) && + (aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) ) { /* @@ -2381,28 +2380,28 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * * match that filter. * * - */ + */ Targetattrfilter **attrFilterArray = NULL; Targetattrfilter *attrFilter; int found = 0; - if (aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD && - aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS) { + if ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) && + (aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) { - attrFilterArray = aci->targetAttrAddFilters; + attrFilterArray = aci->targetAttrAddFilters; - } else if (aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL && - aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS) { + } else if ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL) && + (aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) { - attrFilterArray = aci->targetAttrDelFilters; + attrFilterArray = aci->targetAttrDelFilters; } /* * Scan this filter list for an applicable filter. - */ + */ found = 0; num_attrs = 0; @@ -2435,7 +2434,7 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * attr_matched= acl__test_filter(aclpb->aclpb_filter_test_entry, attrFilter->filter, 1 /* Do filter sense evaluation below */ - ); + ); slapi_entry_free( aclpb->aclpb_filter_test_entry ); } @@ -2452,8 +2451,6 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * */ attr_matched_in_targetattrfilters = 1; - - } } /* targetvaluefilters */ @@ -3233,9 +3230,6 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) realval = tmp; } - slapi_dn_normalize (realval); - - /* What we have built is a regular pattaren expression. ** Now we will compile the pattern and compare wth the string to ** see if the input string matches with the patteren or not. diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index 36bdd43c..3f4b4e62 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -119,7 +119,11 @@ static char* const aci_targetattr = "targetattr"; static char* const aci_targetattrfilters = "targattrfilters"; static char* const aci_targetfilter = "targetfilter"; +static char* const LDAP_URL_prefix_core = "ldap://"; +static char* const LDAPS_URL_prefix_core = "ldaps://"; + static char* const LDAP_URL_prefix = "ldap:///"; +static char* const LDAPS_URL_prefix = "ldaps:///"; static char* const access_str_compare = "compare"; static char* const access_str_search = "search"; @@ -827,7 +831,7 @@ int acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e ); int aclext_alloc_lockarray (); -int aclutil_str_appened(char **str1, const char *str2); +int aclutil_str_append(char **str1, const char *str2); void aclutil_print_err (int rv , const Slapi_DN *sdn, const struct berval* val, char **errbuf); void aclutil_print_aci (aci_t *aci_item, char *type); @@ -911,6 +915,7 @@ acl_replace_str(char * s, char *substr, char* replace_with); int acl_strstr(char * s, char *substr); int aclutil_evaluate_macro( char * rule, lasInfo *lasinfo, acl_eval_types evalType ); +int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t slen); /* acl hash table functions */ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value); diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c index 5e1d360b..d9494ec3 100644 --- a/ldap/servers/plugins/acl/acl_ext.c +++ b/ldap/servers/plugins/acl/acl_ext.c @@ -791,7 +791,7 @@ acl__done_aclpb ( struct acl_pblock *aclpb ) */ /* Nothing needs to be cleaned up in this case */ - if ( !aclpb->aclpb_state & ACLPB_INITIALIZED) + if (!(aclpb->aclpb_state & ACLPB_INITIALIZED)) return; /* Check the state */ diff --git a/ldap/servers/plugins/acl/aclanom.c b/ldap/servers/plugins/acl/aclanom.c index 773dad2f..b1d15ca1 100644 --- a/ldap/servers/plugins/acl/aclanom.c +++ b/ldap/servers/plugins/acl/aclanom.c @@ -205,6 +205,7 @@ aclanom_gen_anomProfile (acl_lock_flag_t lock_flag) /* see if this is a monitor acl */ if (( strcasecmp ( dn, "cn=monitor") == 0 ) || + /* cn=monitor,cn=ldbm: No such object */ ( strcasecmp ( dn, "cn=monitor,cn=ldbm") == 0 )) { aci = acllist_get_next_aci ( NULL, aci, &cookie); continue; diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c index 9afac079..acf856cc 100644 --- a/ldap/servers/plugins/acl/acleffectiverights.c +++ b/ldap/servers/plugins/acl/acleffectiverights.c @@ -170,7 +170,7 @@ _ger_g_permission_granted ( goto bailout; } - aclutil_str_appened ( errbuf, "get-effective-rights: requestor has no g permission on the entry" ); + aclutil_str_append ( errbuf, "get-effective-rights: requestor has no g permission on the entry" ); slapi_log_error (SLAPI_LOG_ACL, plugin_name, "_ger_g_permission_granted: %s\n", *errbuf); rc = LDAP_INSUFFICIENT_ACCESS; @@ -195,7 +195,10 @@ _ger_parse_control ( LDAPControl **requestcontrols; struct berval *subjectber; BerElement *ber; - int subjectndnlen = 0; + size_t subjectndnlen = 0; + char *orig = NULL; + char *normed = NULL; + int rc = 0; if (NULL == subjectndn) { @@ -215,7 +218,7 @@ _ger_parse_control ( if ( subjectber == NULL || subjectber->bv_val == NULL || subjectber->bv_len == 0 ) { - aclutil_str_appened ( errbuf, "get-effective-rights: missing subject" ); + aclutil_str_append ( errbuf, "get-effective-rights: missing subject" ); slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); return LDAP_INVALID_SYNTAX; } @@ -227,23 +230,23 @@ _ger_parse_control ( * or base64 encoding string. Hence users using -J option in * ldapsearch don't have to do BER encoding for the subject. */ - *subjectndn = slapi_ch_malloc ( subjectber->bv_len + 1 ); - strncpy ( *subjectndn, subjectber->bv_val, subjectber->bv_len ); - *(*subjectndn + subjectber->bv_len) = '\0'; + orig = slapi_ch_malloc ( subjectber->bv_len + 1 ); + strncpy ( orig, subjectber->bv_val, subjectber->bv_len ); + *(orig + subjectber->bv_len) = '\0'; } else { ber = ber_init (subjectber); if ( ber == NULL ) { - aclutil_str_appened ( errbuf, "get-effective-rights: ber_init failed for the subject" ); + aclutil_str_append ( errbuf, "get-effective-rights: ber_init failed for the subject" ); slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); return LDAP_OPERATIONS_ERROR; } /* "a" means to allocate storage as needed for octet string */ - if ( ber_scanf (ber, "a", subjectndn) == LBER_ERROR ) + if ( ber_scanf (ber, "a", orig) == LBER_ERROR ) { - aclutil_str_appened ( errbuf, "get-effective-rights: invalid ber tag in the subject" ); + aclutil_str_append ( errbuf, "get-effective-rights: invalid ber tag in the subject" ); slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); ber_free ( ber, 1 ); return LDAP_INVALID_SYNTAX; @@ -256,18 +259,32 @@ _ger_parse_control ( * (see section 9 of RFC 2829) only. It also only supports the "dnAuthzId" * flavor, which looks like "dn:<DN>" where null <DN> is for anonymous. */ - subjectndnlen = strlen(*subjectndn); - if ( NULL == *subjectndn || subjectndnlen < 3 || - strncasecmp ( "dn:", *subjectndn, 3 ) != 0 ) + subjectndnlen = strlen(orig); + if ( NULL == orig || subjectndnlen < 3 || strncasecmp ( "dn:", orig, 3 ) != 0 ) { - aclutil_str_appened ( errbuf, "get-effective-rights: subject is not dnAuthzId" ); + aclutil_str_append ( errbuf, "get-effective-rights: subject is not dnAuthzId" ); slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); + slapi_ch_free_string(&orig); return LDAP_INVALID_SYNTAX; } /* memmove is safe for overlapping copy */ - memmove ( *subjectndn, *subjectndn + 3, subjectndnlen - 2);/* 1 for '\0' */ - slapi_dn_normalize ( *subjectndn ); + rc = slapi_dn_normalize_ext(orig + 3, 0, &normed, &subjectndnlen); + if (rc < 0) { + aclutil_str_append ( errbuf, "get-effective-rights: failed to normalize dn: "); + aclutil_str_append ( errbuf, orig); + slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); + slapi_ch_free_string(&orig); + return LDAP_INVALID_SYNTAX; + } + if (rc == 0) { /* orig+3 is passed in; not terminated */ + *(normed + subjectndnlen) = '\0'; + *subjectndn = slapi_ch_strdup(normed); + slapi_ch_free_string(&orig); + } else { + slapi_ch_free_string(&orig); + *subjectndn = normed; + } return LDAP_SUCCESS; } diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 9a57d7c8..9fbd25bb 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -480,6 +480,7 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, int rc; short len; const size_t LDAP_URL_prefix_len = strlen(LDAP_URL_prefix); + const size_t LDAPS_URL_prefix_len = strlen(LDAPS_URL_prefix); lasInfo lasinfo; int got_undefined = 0; @@ -530,15 +531,15 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, ** userdn = "ldap:///DN1 || ldap:///DN2" */ - /* The DN is now "ldap:///DN" ** remove the "ldap:///" part */ - if (strncasecmp (user, LDAP_URL_prefix, - LDAP_URL_prefix_len) == 0) { + if (strncasecmp (user, LDAP_URL_prefix, LDAP_URL_prefix_len) == 0) { s_user = user; user += LDAP_URL_prefix_len; - + } else if (strncasecmp (user, LDAPS_URL_prefix, LDAPS_URL_prefix_len) == 0) { + s_user = user; + user += LDAPS_URL_prefix_len; } else { char ebuf[ BUFSIZ ]; slapi_log_error(SLAPI_LOG_FATAL, plugin_name, @@ -677,8 +678,19 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, slapi_filter_free(f,1); } else { /* Must be a simple dn then */ - if (slapi_utf8casecmp((ACLUCHP)lasinfo.clientDn, - (ACLUCHP)slapi_dn_normalize(user)) == 0) { + char *normed = NULL; + size_t dnlen = 0; + rc = slapi_dn_normalize_ext(user, 0, &normed, &dnlen); + if (rc == 0) { /* user passed in; not terminated */ + *(normed + dnlen) = '\0'; + } else if (rc < 0) { /* normalization failed, user the original */ + normed = user; + } + rc = slapi_utf8casecmp((ACLUCHP)lasinfo.clientDn, (ACLUCHP)normed); + if (normed != user) { + slapi_ch_free_string(&normed); + } + if (0 == rc) { matched = ACL_TRUE; break; } @@ -1274,8 +1286,14 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, while ( j != -1 ) { attrVal = slapi_value_get_berval ( sval ); /* Here if atleast 1 value matches then we are done.*/ - val = slapi_dn_normalize ( - slapi_ch_strdup( attrVal->bv_val)); + val = slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == val) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "DS_LASUserDnAttrEval: Invalid syntax: %s\n", + attrVal->bv_val ); + slapi_ch_free ( (void**) &s_attrName); + return LAS_EVAL_FAIL; + } if (slapi_utf8casecmp((ACLUCHP)val, (ACLUCHP)lasinfo.clientDn ) == 0) { char ebuf [ BUFSIZ ]; @@ -2380,7 +2398,13 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data) while ( i != -1 ) { struct member_info *groupMember = NULL; attrVal = slapi_value_get_berval ( sval ); - n_dn = slapi_dn_normalize ( slapi_ch_strdup( attrVal->bv_val )); + n_dn = slapi_create_dn_string( attrVal->bv_val ); + if (NULL == n_dn) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__handle_group_entry: Invalid syntax: %s\n", + attrVal->bv_val ); + return 0; + } n = ++info->lu_idx; if (n < 0) { slapi_log_error( SLAPI_LOG_FATAL, plugin_name, @@ -2433,7 +2457,14 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data) */ if (strncasecmp( attrVal->bv_val, "ldap://",7) == 0 || strncasecmp( attrVal->bv_val, "ldaps://",8) == 0) { - savURL = memberURL = slapi_ch_strdup ( attrVal->bv_val); + savURL = memberURL = + slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == savURL) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__handle_group_entry: Invalid syntax: %s\n", + attrVal->bv_val ); + return 0; + } slapi_log_error( SLAPI_LOG_ACL, plugin_name, "ACL Group Eval:MemberURL:%s\n", memberURL); info->result = acllas__client_match_URL ( @@ -2656,8 +2687,13 @@ DS_LASGroupDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, attr_i= slapi_attr_first_value ( attr,&sval ); while ( attr_i != -1 ) { attrVal = slapi_value_get_berval ( sval ); - n_groupdn = slapi_dn_normalize( - slapi_ch_strdup( attrVal->bv_val)); + n_groupdn = slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == n_groupdn) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "DS_LASGroupDnAttrEval: Invalid syntax: %s\n", + attrVal->bv_val ); + return 0; + } matched = acllas__user_ismember_of_group ( lasinfo.aclpb, n_groupdn, lasinfo.clientDn, ACLLAS_CACHE_MEMBER_GROUPS, @@ -2855,6 +2891,7 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e, char *curMemberDn; int Done = 0; int ngr, tt; + char *normed = NULL; /* Add the scope to the list of scopes */ if (aclpb->aclpb_numof_bases >= (aclpb->aclpb_grpsearchbase_size-1)) { @@ -2866,9 +2903,15 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e, sizeof (char *)); aclpb->aclpb_grpsearchbase_size += ACLPB_INCR_BASES; } - aclpb->aclpb_grpsearchbase[aclpb->aclpb_numof_bases++] = - slapi_dn_normalize(slapi_ch_strdup(base)); - + normed = slapi_create_dn_string("%s", base); + if (NULL == normed) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__eval_memberGroupDnAttr: Invalid syntax: %s\n", + base ); + slapi_ch_free ( (void **)&s_str ); + return ACL_FALSE; + } + aclpb->aclpb_grpsearchbase[aclpb->aclpb_numof_bases++] = normed; /* Set up info to do a search */ attrs[0] = type_member; attrs[1] = type_uniquemember; @@ -2991,8 +3034,14 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e, while ( k != -1 ) { char *n_attrval; attrVal = slapi_value_get_berval ( sval ); - n_attrval = slapi_ch_strdup( attrVal->bv_val); - n_attrval = slapi_dn_normalize (n_attrval); + n_attrval = slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == n_attrval) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__eval_memberGroupDnAttr: Invalid syntax: %s\n", + attrVal->bv_val ); + slapi_ch_free ( (void **)&s_str ); + return ACL_FALSE; + } /* We support: The attribute value can be a USER or a GROUP. ** Let's compare with the client, thi might be just an user. If it is not @@ -3147,7 +3196,13 @@ acllas__verify_client (Slapi_Entry* e, void *callback_data) i = slapi_attr_first_value ( attr,&sval ); while ( i != -1 ) { attrVal = slapi_value_get_berval ( sval ); - val = slapi_dn_normalize(slapi_ch_strdup(attrVal->bv_val)); + val = slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == val) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__verify_client: Invalid syntax: %s\n", + attrVal->bv_val ); + return 0; + } if (slapi_utf8casecmp((ACLUCHP)val, (ACLUCHP)info->clientdn ) == 0) { info->result = 1; @@ -3235,7 +3290,12 @@ acllas__get_members (Slapi_Entry* e, void *callback_data) i = slapi_attr_first_value ( attr,&sval ); while ( i != -1 ) { attrVal =slapi_value_get_berval ( sval ); - info->member[i] = slapi_dn_normalize ( slapi_ch_strdup(attrVal->bv_val)); + info->member[i] = slapi_create_dn_string ("%s", attrVal->bv_val); + if (NULL == info->member[i]) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__get_members: Invalid syntax: %s\n", + attrVal->bv_val ); + } i = slapi_attr_next_value ( attr, i, &sval ); } return 0; @@ -3426,7 +3486,17 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url LDAPURLDesc *ludp; int rc; Slapi_Filter *f = NULL; - + char *rawdn = NULL; + char *dn = NULL; + size_t dnlen = 0; + char *p = NULL; + char *normed = NULL; + /* ldap(s)://host:port/suffix?attrs?scope?filter */ + const size_t LDAP_URL_prefix_len = strlen(LDAP_URL_prefix_core); + const size_t LDAPS_URL_prefix_len = strlen(LDAPS_URL_prefix_core); + size_t prefix_len = 0; + char Q = '?'; + char *hostport = NULL; /* Get the client's entry if we don't have already */ if ( aclpb && ( NULL == aclpb->aclpb_client_entry )) { @@ -3459,23 +3529,83 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url } if ( NULL == aclpb->aclpb_client_entry ) { - slapi_log_error ( SLAPI_LOG_ACL, plugin_name, - "DS_LASUserAttrEval: Unable to get client's entry\n"); + slapi_log_error (SLAPI_LOG_ACL, plugin_name, + "acllas__client_match_URL: Unable to get client's entry\n"); return ACL_FALSE; } - if (( rc = ldap_url_parse( url, &ludp)) != 0 ) { + /* DN potion of URL must be normalized before calling ldap_url_parse. + * lud_dn is pointing at the middle of lud_string. + * lud_dn won't be freed in ldap_free_urldesc. + */ + /* remove the "ldap{s}:///" part */ + if (strncasecmp (url, LDAP_URL_prefix, LDAP_URL_prefix_len) == 0) { + prefix_len = LDAP_URL_prefix_len; + } else if (strncasecmp (url, LDAPS_URL_prefix, LDAPS_URL_prefix_len) == 0) { + prefix_len = LDAPS_URL_prefix_len; + } else { + slapi_log_error (SLAPI_LOG_ACL, plugin_name, + "acllas__client_match_URL: url %s does not include ldap prefix: %s\n", url); + return ACL_FALSE; + } + rawdn = url + prefix_len; /* ldap(s)://host:port/... or ldap(s):///... */ + /* rawdn at ^ or ^ */ + /* let rawdn point the suffix */ + if ('/' == *(rawdn+1)) { /* ldap(s):/// */ + rawdn += 2; + hostport = "/"; + } else { + char *tmpp = rawdn; + rawdn = strchr(tmpp, '/'); + size_t hostport_len = 0; + if (NULL == rawdn) { + slapi_log_error (SLAPI_LOG_ACL, plugin_name, + "acllas__client_match_URL: url %s does not include correct ldap prefix: %s\n", url); + return ACL_FALSE; + } + hostport_len = ++rawdn - tmpp; /* ldap(s)://host:port/... */ + /* <--------> */ + hostport = (char *)slapi_ch_malloc(hostport_len + 1); + memcpy(hostport, tmpp, hostport_len); + *(hostport+hostport_len) = '\0'; + } + p = strchr(rawdn, Q); + if (p) { + /* url has scope and/or filter: ldap(s):///suffix?attr?scope?filter */ + *p = '\0'; + } + rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen); + if (rc < 0) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "acllas__client_match_URL: Invalid syntax: %s\n", url); + return ACL_FALSE; + } else if (rc == 0) { /* url is passed in and not terminated with NULL*/ + *(dn + dnlen) = '\0'; + } + if (p) { + *p = Q; + } + normed = slapi_ch_smprintf("%s%s%s%s", + (prefix_len==LDAP_URL_prefix_len)? + LDAP_URL_prefix_core:LDAPS_URL_prefix_core, + hostport, dn, p?p:""); + if (rc > 0) { + /* dn was allocated in slapi_dn_normalize_ext */ + slapi_ch_free_string(&dn); + } + if ('/' != *hostport) { + slapi_ch_free_string(&hostport); + } + rc = ldap_url_parse(normed, &ludp); + slapi_ch_free_string(&normed); + if (rc) { return ACL_FALSE; - } if ( ( NULL == ludp->lud_dn) || ( NULL == ludp->lud_filter) ) { ldap_free_urldesc( ludp ); return ACL_FALSE; } - /* Normalize in place the dn */ - slapi_dn_normalize ( ludp->lud_dn ); - /* Check the scope */ if ( ludp->lud_scope == LDAP_SCOPE_SUBTREE ) { if (!slapi_dn_issuffix(n_clientdn, ludp->lud_dn)) { @@ -3777,8 +3907,13 @@ DS_LASRoleDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, Slapi_DN *roleDN; attrVal = slapi_value_get_berval ( sval ); - n_attrval = slapi_ch_strdup( attrVal->bv_val); - n_attrval = slapi_dn_normalize (n_attrval); + n_attrval = slapi_create_dn_string("%s", attrVal->bv_val); + if (NULL == n_attrval) { + slapi_log_error( SLAPI_LOG_FATAL, plugin_name, + "DS_LASRoleDnAttrEval: Invalid syntax: %s\n", + attrVal->bv_val ); + return LAS_EVAL_FAIL; + } roleDN = slapi_sdn_new_dn_byval(n_attrval); /* We support: The attribute value can be a USER or a GROUP. @@ -3831,14 +3966,12 @@ DS_LASRoleDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, * returns: ACL_TRUE for matched, * ACL_FALSE for matched. * ACL_DONT_KNOW otherwise. - * - * -*/ + */ int aclutil_evaluate_macro( char * rule, lasInfo *lasinfo, - acl_eval_types evalType ) { - + acl_eval_types evalType ) +{ int matched = 0; aci_t *aci; char *matched_val = NULL; diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c index 8d4a21a0..0c8d0fa3 100644 --- a/ldap/servers/plugins/acl/aclparse.c +++ b/ldap/servers/plugins/acl/aclparse.c @@ -50,7 +50,6 @@ static int __aclp__sanity_check_acltxt(aci_t *aci_item, char *str); static char * __aclp__normalize_acltxt (aci_t *aci_item, char *str); static char * __aclp__getNextLASRule(aci_t *aci_item, char *str, char **endOfCurrRule); -static char * __aclp__dn_normalize( char *dn , char *end); static int __aclp__get_aci_right ( char *str); static int __aclp__init_targetattr (aci_t *aci, char *attr_val); static int __acl__init_targetattrfilters( aci_t *aci_item, char *str); @@ -239,10 +238,10 @@ __aclp__parse_aci (char *str, aci_t *aci_item) /* - * The targetattrfilters bit looks like this: - * (targetattrfilters="add= attr1:F1 && attr2:F2 ... && attrn:Fn, - * del= attr1:F1 && attr2:F2... && attrn:Fn") - */ + * The targetattrfilters bit looks like this: + * (targetattrfilters="add= attr1:F1 && attr2:F2 ... && attrn:Fn, + * del= attr1:F1 && attr2:F2... && attrn:Fn") + */ if ( 0 != (rv= __acl__init_targetattrfilters( aci_item, str))) { return rv; @@ -256,15 +255,14 @@ __aclp__parse_aci (char *str, aci_t *aci_item) } /* Get individual components of the targetattr. * (targetattr = "cn || u* || phone ||tel:add:(tel=1234) - * || sn:del:(gn=5678)") - * If it contains a value filter, the type will also be - * ACI_TARGET_VALUE_ATTR. - */ - if ( 0 != (rv= __aclp__init_targetattr( - aci_item, str))) { + * || sn:del:(gn=5678)") + * If it contains a value filter, the type will also be + * ACI_TARGET_VALUE_ATTR. + */ + if (0 != (rv = __aclp__init_targetattr(aci_item, str))) { return rv; } - } else if (strncmp(str, aci_targetfilter,tfilterlen ) == 0) { + } else if (strncmp(str, aci_targetfilter,tfilterlen ) == 0) { if ( aci_item->targetFilter) return ACL_SYNTAX_ERR; @@ -311,8 +309,8 @@ __aclp__parse_aci (char *str, aci_t *aci_item) } else if (strncmp(str, aci_targetdn, targetdnlen) == 0) { char *tstr = NULL; - const size_t LDAP_URL_prefix_len = strlen (LDAP_URL_prefix); - char *tt; + size_t LDAP_URL_prefix_len = 0; + size_t tmplen = 0; type = ACI_TARGET_DN; /* Keep a copy of the target attr */ if (aci_item->target) { @@ -322,30 +320,40 @@ __aclp__parse_aci (char *str, aci_t *aci_item) type |= ACI_TARGET_NOT; strncpy(s, " ", 1); } - - /* Convert it to lower as slapi_dn_normalize() does not */ - for (tt = str; *tt; tt++) *tt = TOLOWER ( *tt ); - if ( (s = strchr( str, '=' )) != NULL ) { value = s + 1; - slapi_dn_normalize(value); + __acl_strip_leading_space(&value); len = strlen ( value ); - if (*value == '"' && value[len-1] == '"'){ + /* strip double quotes */ + if (*value == '"' && value[len-1] == '"') { value[len-1] = '\0'; value++; } __acl_strip_leading_space(&value); - } else { + } else { return ( ACL_SYNTAX_ERR ); } - - if ( strncasecmp ( value, LDAP_URL_prefix , LDAP_URL_prefix_len) ) + if (0 == + strncasecmp(value, LDAP_URL_prefix, strlen(LDAP_URL_prefix))) { + LDAP_URL_prefix_len = strlen(LDAP_URL_prefix); + } else if (0 == strncasecmp(value, LDAPS_URL_prefix, + strlen(LDAPS_URL_prefix))) { + LDAP_URL_prefix_len = strlen(LDAPS_URL_prefix); + } else { return ( ACL_SYNTAX_ERR ); + } value += LDAP_URL_prefix_len; - len = strlen ( value ); - tstr = (char *) slapi_ch_malloc ( targetdnlen + len + 4 ); - sprintf ( tstr, "(target=%s)", value); + rv = slapi_dn_normalize_case_ext(value, 0, &tmpstr, &tmplen); + if (rv < 0) { + return ACL_SYNTAX_ERR; + } else if (rv == 0) { /* value passed in; not null terminated */ + *(tmpstr + tmplen) = '\0'; + } + tstr = slapi_ch_smprintf("(target=%s)", tmpstr); + if (rv > 0) { + slapi_ch_free_string(&tmpstr); + } if ( (rv = acl_check_for_target_macro( aci_item, value)) == -1) { slapi_ch_free ( (void **) &tstr ); return(ACL_SYNTAX_ERR); @@ -356,7 +364,7 @@ __aclp__parse_aci (char *str, aci_t *aci_item) /* it's a normal target with no macros inside */ f = slapi_str2filter ( tstr ); } - slapi_ch_free ( (void **) &tstr ); + slapi_ch_free_string ( &tstr ); } else { /* did start with a 't' but was not a recognsied keyword */ return(ACL_SYNTAX_ERR); @@ -492,20 +500,86 @@ __aclp__sanity_check_acltxt (aci_t *aci_item, char *str) slapi_log_error(SLAPI_LOG_ACL, plugin_name, "Normalized String:%s\n", newstr); /* check for acl syntax error */ - if ((handle = (ACLListHandle_t *) ACL_ParseString(&errp, - newstr)) == NULL) { + if ((handle = (ACLListHandle_t *) ACL_ParseString(&errp, newstr)) == NULL) { acl_print_acllib_err(&errp, str); - slapi_ch_free ( (void **) &newstr ); + slapi_ch_free_string(&newstr); return ACL_SYNTAX_ERR; } else { /* get the rights and the aci type */ aci_item->aci_handle = handle; nserrDispose(&errp); - slapi_ch_free ( (void **) &newstr ); + slapi_ch_free_string(&newstr); return 0; } } + +/* + * If the src includes "ldap(s):///<dn>", normalize <dn> and copy + * the string starting from start to *dest. + * If isstrict is non-zero, if ldap(s):/// is not included in the src + * string, it returns an error (-1). + * If isstrict is zero, the string is copied as is. + * + * return value: 0 or positive: success + * negative: failure + */ +int +__aclp__copy_normalized_str (char *src, char *endsrc, char *start, + char **dest, size_t *destlen, int isstrict) +{ + char *p = NULL; + int rc = -1; + char *dn = NULL; + size_t dnlen = 0; + + p = PL_strnstr(src, LDAP_URL_prefix, endsrc - src); + if (p) { + p += strlen(LDAP_URL_prefix); + } else { + p = PL_strnstr(src, LDAPS_URL_prefix, endsrc - src); + if (p) { + p += strlen(LDAPS_URL_prefix); + } + } + + if (isstrict && ((NULL == p) || 0 == strlen(p))) { + return rc; /* error */ + } + + rc = 0; + if (p && strlen(p) > 0) { + size_t len = 0; + /* strip the string starting from ? */ + char *q = PL_strnchr(p, '?', endsrc - p); + if (q) { + len = q - p; + } else { + len = endsrc - p; + } + /* Normalize the value of userdn and append it to ret_str */ + rc = slapi_dn_normalize_ext(p, len, &dn, &dnlen); + if (rc < 0) { + return rc; + } + /* append up to ldap(s):/// */ + aclutil_str_append_ext(dest, destlen, start, p - start); + /* append the DN part */ + aclutil_str_append_ext(dest, destlen, dn, dnlen); + if (rc > 0) { /* if rc == 0, p is passed in */ + slapi_ch_free_string(&dn); + } + if (q) { + /* append the rest from '?' */ + aclutil_str_append_ext(dest, destlen, q, endsrc - q); + } + } else { + aclutil_str_append_ext(dest, destlen, start, endsrc - start); + } + + return rc; +} + /****************************************************************************** * * acl__normalize_acltxt @@ -534,23 +608,25 @@ __aclp__normalize_acltxt ( aci_t * aci_item, char * str ) char *s, *p; char *end; char *aclstr, *s_aclstr; + char *prevend = NULL; char *ret_str = NULL; + size_t retstr_len = 0; int len; - char *ptr, *aclName; + char *aclName; char *nextACE; char *tmp_str = NULL; char *acestr = NULL; char *s_acestr = NULL; int aci_rights_val = 0; /* bug 389975 */ + int rc = 0; /* make a copy first */ s_aclstr = aclstr = slapi_ch_strdup ( str ); /* The rules are like this version 3.0; acl "xyz"; rule1; rule2; */ s = strchr (aclstr, ';'); - if ( NULL == s) { - slapi_ch_free ( (void **) &s_aclstr ); - return NULL; + if (NULL == s) { + goto error; } aclstr = ++s; @@ -564,9 +640,8 @@ __aclp__normalize_acltxt ( aci_t * aci_item, char * str ) aclName = s+3; s = strchr (aclstr, ';'); - if ( NULL == s) { - slapi_ch_free ( (void **) &s_aclstr ); - return NULL; + if (NULL == s) { + goto error; } aclstr = s; @@ -576,8 +651,10 @@ __aclp__normalize_acltxt ( aci_t * aci_item, char * str ) /* Here aclName is the acl description string */ aci_item->aclName = slapi_ch_strdup ( aclName ); - aclutil_str_appened (&ret_str, s_aclstr); - aclutil_str_appened (&ret_str, ";"); + retstr_len = strlen(str) * 3; + ret_str = (char *)slapi_ch_calloc(sizeof(char), retstr_len); + aclutil_str_append_ext (&ret_str, &retstr_len, s_aclstr, strlen(s_aclstr)); + aclutil_str_append_ext (&ret_str, &retstr_len, ";", 1); /* start with the string */ acestr = aclstr; @@ -586,37 +663,34 @@ __aclp__normalize_acltxt ( aci_t * aci_item, char * str ) * Here acestr is something like: * * " allow (all) groupdn = "ldap:///cn=Domain Administrators, o=$dn.o, o=ISP";)" - * - * - */ + */ normalize_nextACERule: /* now we are in the rule part */ tmp_str = acestr; s = strchr (tmp_str, ';'); - if ( s == NULL) { - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return NULL; + if (s == NULL) { + goto error; } + nextACE = s; LDAP_UTF8INC(nextACE); *s = '\0'; - /* acestr now will hold copy of the ACE. Also add + /* acestr now will hold copy of the ACE. Also add ** some more space in case we need to add "absolute" - ** for deny rule. We will never need more 2 times - ** the len. + ** for deny rule. We will never need more 3 times + ** the len (even if all the chars are escaped). */ __acl_strip_leading_space(&tmp_str); len = strlen (tmp_str); - s_acestr = acestr = slapi_ch_calloc ( 1, 2 * len); + s_acestr = acestr = slapi_ch_calloc (1, 3 * len); /* * Now it's something like: * allow (all) groupdn = "ldap:///cn=Domain Administrators, o=$dn.o, o=ISP"; - */ + */ if (strncasecmp(tmp_str, "allow", 5) == 0) { memcpy(acestr, tmp_str, len); tmp_str += 5; @@ -624,6 +698,14 @@ normalize_nextACERule: aci_rights_val = __aclp__get_aci_right (tmp_str);/* bug 389975 */ aci_item->aci_type |= ACI_HAS_ALLOW_RULE; + s = strchr(acestr, ')'); + if (NULL == s) { + /* wrong syntax */ + goto error; + } + /* add "allow(rights...)" */ + aclutil_str_append_ext(&ret_str, &retstr_len, acestr, s - acestr + 1); + prevend = s + 1; } else if (strncasecmp(tmp_str, "deny", 4) == 0) { char *d_rule ="deny absolute"; /* Then we have to add "absolute" to the deny rule @@ -652,6 +734,15 @@ normalize_nextACERule: len = strlen ( d_rule ); memcpy (acestr, d_rule, len ); memcpy (acestr+len, tmp_str, strlen (tmp_str) ); + + s = strchr(acestr, ')'); + if (NULL == s) { + /* wrong syntax */ + goto error; + } + /* add "deny(rights...)" */ + aclutil_str_append_ext(&ret_str, &retstr_len, acestr, s - acestr + 1); + prevend = s + 1; } else { /* wrong syntax */ aci_rights_val = -1 ; @@ -659,32 +750,32 @@ normalize_nextACERule: if (aci_rights_val == -1 ) { /* wrong syntax */ - slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_acestr ); - slapi_ch_free ( (void **) &s_aclstr ); - return NULL; + goto error; } else - aci_item->aci_access |= aci_rights_val; + aci_item->aci_access |= aci_rights_val; - - /* Normalize all the DNs in the userdn rule */ - + /* Normalize all the DNs in the userdn, groupdn, roledn rules */ /* * * Here acestr starts like this: - * " allow (all) groupdn = "ldap:///cn=Domain Administrators, o=$dn.o, o=ISP" - */ - + * " allow (all) groupdn = "ldap:///cn=Domain Administrators,o=$dn.o,o=ISP" + */ s = __aclp__getNextLASRule(aci_item, acestr, &end); while ( s ) { - if ( 0 == strncmp ( s, DS_LAS_USERDNATTR, 10) || - ( 0 == strncmp ( s, DS_LAS_USERATTR, 8))) { + if ( (0 == strncmp(s, DS_LAS_USERDNATTR, 10)) || + (0 == strncmp(s, DS_LAS_USERATTR, 8)) ) { /* ** For userdnattr/userattr rule, the resources changes and hence ** we cannot cache the result. See above for more comments. */ aci_item->aci_elevel = ACI_ELEVEL_USERDNATTR; - } else if ( 0== strncmp ( s, DS_LAS_USERDN, 6)) { + + rc = __aclp__copy_normalized_str(s, end, prevend, + &ret_str, &retstr_len, 0); + if (rc < 0) { + goto error; + } + } else if ( 0 == strncmp ( s, DS_LAS_USERDN, 6)) { p = strstr ( s, "="); p--; if ( strncmp (p, "!=", 2) == 0) @@ -699,22 +790,12 @@ normalize_nextACERule: * which would ensure that acl info is not cached from * one resource entry to the next. (bug 558519) */ - p = strstr ( p, "ldap"); - if (p == NULL) { - /* must start with ldap */ - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); - } - p += 8; /* for ldap:/// */ - if( __aclp__dn_normalize (p, end) == NULL) { - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); + rc = __aclp__copy_normalized_str(s, end, prevend, + &ret_str, &retstr_len, 1); + if (rc < 0) { + goto error; } - + /* we have a rule like userdn = "ldap:///blah". s points to blah now. ** let's find if we have a SELF rule like userdn = "ldap:///self". ** Since the resource changes on entry basis, we can't cache the @@ -750,6 +831,12 @@ normalize_nextACERule: aci_item->aci_elevel = ACI_ELEVEL_GROUPDNATTR; } aci_item->aci_ruleType |= ACI_GROUPDNATTR_RULE; + + rc = __aclp__copy_normalized_str(s, end, prevend, + &ret_str, &retstr_len, 0); + if (rc < 0) { + goto error; + } } else if ( 0 == strncmp ( s, DS_LAS_GROUPDN, 7)) { p = strstr ( s, "="); @@ -757,21 +844,12 @@ normalize_nextACERule: if ( strncmp (p, "!=", 2) == 0) aci_item->aci_type |= ACI_CONTAIN_NOT_GROUPDN; - p = strstr ( s, "ldap"); - if (p == NULL) { - /* must start with ldap */ - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); - } - p += 8; - if (__aclp__dn_normalize (p, end) == NULL) { - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); + rc = __aclp__copy_normalized_str(s, end, prevend, + &ret_str, &retstr_len, 1); + if (rc < 0) { + goto error; } + /* check for param rules */ __aclp_chk_paramRules ( aci_item, p, end ); @@ -786,21 +864,12 @@ normalize_nextACERule: if ( strncmp (p, "!=", 2) == 0) aci_item->aci_type |= ACI_CONTAIN_NOT_ROLEDN; - p = strstr ( s, "ldap"); - if (p == NULL) { - /* must start with ldap */ - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); - } - p += 8; - if (__aclp__dn_normalize (p, end) == NULL) { - if (s_acestr) slapi_ch_free ( (void **) &s_acestr ); - if (ret_str) slapi_ch_free ( (void **) &ret_str ); - slapi_ch_free ( (void **) &s_aclstr ); - return (NULL); + rc = __aclp__copy_normalized_str(s, end, prevend, + &ret_str, &retstr_len, 1); + if (rc < 0) { + goto error; } + /* check for param rules */ __aclp_chk_paramRules ( aci_item, p, end ); @@ -808,40 +877,47 @@ normalize_nextACERule: if ( aci_item->aci_elevel > ACI_ELEVEL_GROUPDN ) aci_item->aci_elevel = ACI_ELEVEL_GROUPDN;*/ aci_item->aci_ruleType |= ACI_ROLEDN_RULE; + } else { + /* adding the string no need to be processed + * (e.g., dns="lab.example.com)" */ + aclutil_str_append_ext(&ret_str, &retstr_len, + prevend, end - prevend); } + prevend = end; s = ++end; s = __aclp__getNextLASRule(aci_item, s, &end); - }/* while */ + if (NULL == s) { + /* adding the rest of the string, e.g. '\"' */ + aclutil_str_append_ext(&ret_str, &retstr_len, + prevend, strlen(prevend)); + } + } /* while */ - /* get the head of the string */ - acestr = s_acestr; - len = strlen( acestr); - ptr = acestr +len-1; - while (*ptr && *ptr != '\"' && *ptr != ')' ) *ptr-- = ' '; - ptr++; - *ptr = ';'; - - aclutil_str_appened (&ret_str, acestr); - if (s_acestr) { - slapi_ch_free ( (void **) &s_acestr ); - } - s_acestr = NULL; + slapi_ch_free_string (&s_acestr); + __acl_strip_trailing_space(ret_str); + aclutil_str_append_ext(&ret_str, &retstr_len, ";", 1); if (nextACE) { s = strstr (nextACE, "allow"); if (s == NULL) s = strstr (nextACE, "deny"); if (s == NULL) { if (nextACE && *nextACE != '\0') - aclutil_str_appened (&ret_str, nextACE); - slapi_ch_free ( (void **) &s_aclstr ); + aclutil_str_append (&ret_str, nextACE); + slapi_ch_free_string (&s_aclstr); return (ret_str); } acestr = nextACE; goto normalize_nextACERule; } - slapi_ch_free ( (void **) &s_aclstr ); + slapi_ch_free_string (&s_aclstr); return (ret_str); + +error: + slapi_ch_free_string (&ret_str); + slapi_ch_free_string (&s_aclstr); + slapi_ch_free_string (&s_acestr); + return NULL; } /* * @@ -857,7 +933,7 @@ __aclp__getNextLASRule (aci_t *aci_item, char *original_str , char **endOfCurrRu { char *newstr, *word, *next, *start, *end; char *ruleStart = NULL; - int len, ruleLen; + int len, ruleLen = 0; int in_dn_expr = 0; *endOfCurrRule = NULL; @@ -1029,43 +1105,7 @@ __aclp__getNextLASRule (aci_t *aci_item, char *original_str , char **endOfCurrRu return ( ruleStart ); } -/****************************************************************************** -* -* __aclp__dn_normalize -* -* Normalize the DN INPLACE. This routine is similar to slapi_dn_normalize() -* except various small stuff at the end. -* Normalize until the "end" and not to the end of string. -* -******************************************************************************/ -static char * -__aclp__dn_normalize( char *dn , char *end) -{ - char *d; - - if ((end - dn) < 0) { - return(NULL); - } - d = slapi_dn_normalize_to_end ( dn, end ); - - /* Do I have the quotes already */ - if (*d != '\"' ) { - /* - ** We are taking care of this situation - ** " ") ". We need to remove the space - ** infront and tack it after the quote like this. - ** "" ) ". - */ - - *d = '\"'; - d++; - while (*d && *d != '\"') *d++ = ' '; - *d = ' '; - } - - return( dn ); -} /*************************************************************************** * acl__get_aci_right * @@ -1263,6 +1303,7 @@ __aclp__init_targetattr (aci_t *aci, char *attr_val) } while (str != 0 && *str != 0) { + int lenstr = 0; __acl_strip_leading_space(&str); @@ -1292,23 +1333,28 @@ __aclp__init_targetattr (aci_t *aci, char *attr_val) attr = (Targetattr *) slapi_ch_malloc (sizeof (Targetattr)); memset (attr, 0, sizeof(Targetattr)); - if (strchr(str, '*')) { - + /* strip double quotes */ + lenstr = strlen(str); + if (*str == '"' && *(str + lenstr - 1) == '"') { + *(str + lenstr - 1) = '\0'; + str++; + } + if (strchr(str, '*')) { + /* It contains a * so it's something like * or cn* */ if (strcmp(str, "*" ) != 0) { char line[100]; char *lineptr = &line[0]; char *newline = NULL; - int lenstr = 0; struct slapi_filter *f = NULL; - if ((lenstr = strlen(str)) > 91) { /* 100 - 8 for "(attr =%s)" */ - newline = slapi_ch_malloc(lenstr + 9); + if (lenstr > 92) { /* 100 - 8 for "(attr=%s)\0" */ + newline = slapi_ch_malloc(lenstr + 8); lineptr = newline; } attr->attr_type = ACL_ATTR_FILTER; - sprintf (lineptr, "(attr =%s)", str); + sprintf (lineptr, "(attr=%s)", str); f = slapi_str2filter (lineptr); if (f == NULL) { @@ -1320,7 +1366,7 @@ __aclp__init_targetattr (aci_t *aci, char *attr_val) if (newline) slapi_ch_free((void **) &newline); } else { - attr->attr_type = ACL_ATTR_STAR; + attr->attr_type = ACL_ATTR_STAR; attr->u.attr_str = slapi_ch_strdup (str); } diff --git a/ldap/servers/plugins/acl/aclproxy.c b/ldap/servers/plugins/acl/aclproxy.c index d40f543f..9b28489a 100644 --- a/ldap/servers/plugins/acl/aclproxy.c +++ b/ldap/servers/plugins/acl/aclproxy.c @@ -87,7 +87,9 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, LDAPProxyAuth *spec = NULL; BerElement *ber = NULL; char *errstring = "unable to parse proxied authorization control"; - + int rc = 0; + char *normed = NULL; + size_t dnlen = 0; BEGIN ber_tag_t tag; @@ -132,11 +134,20 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, errstring = "proxied authorization id must be a DN (dn:...)"; break; } - strcpy( spec->auth_dn, spec->auth_dn + 3 ); + /* memmove is safe for overlapping copy */ + memmove ( spec->auth_dn, spec->auth_dn + 3, strlen(spec->auth_dn) - 2);/* 1 for '\0' */ } - slapi_dn_normalize(spec->auth_dn); lderr = LDAP_SUCCESS; /* got it! */ + rc = slapi_dn_normalize_ext(spec->auth_dn, 0, &normed, &dnlen); + if (rc < 0) { + lderr = LDAP_INVALID_SYNTAX; + } else if (rc == 0) { /* spec->auth_dn is passed in; not terminated */ + *(normed + dnlen) = '\0'; + } else { + slapi_ch_free_string(&spec->auth_dn); + spec->auth_dn = normed; + } END /* Cleanup */ diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c index 4aebd477..c0b8f579 100644 --- a/ldap/servers/plugins/acl/aclutil.c +++ b/ldap/servers/plugins/acl/aclutil.c @@ -65,7 +65,7 @@ static PRIntn acl_ht_display_entry(PLHashEntry *he, PRIntn i, void *arg); /* UTILITY FUNCTIONS */ /***************************************************************************/ int -aclutil_str_appened(char **str1, const char *str2) +aclutil_str_append(char **str1, const char *str2) { int new_len; @@ -87,6 +87,43 @@ aclutil_str_appened(char **str1, const char *str2) return(0); } +/* + * dlen: the length of the buffer *dest (not the string length in *dest) + */ +int +aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t slen) +{ + char *ptr = NULL; + int rc = 0; + + if ( dest == NULL || src == NULL ) { + return rc; + } + + if (0 == slen) { + slen = strlen(src); + } + if (*dest && dlen > 0) { + size_t dest_strlen = strlen(*dest); + size_t new_len = dest_strlen + slen + 1; + if (new_len > *dlen) { + *dest = (char *)slapi_ch_realloc(*dest, new_len); + *dlen = new_len; + ptr = *dest + dest_strlen; + } else { + ptr = *dest + dest_strlen; + } + } else { + *dlen = slen + 1; + *dest = (char *)slapi_ch_malloc(*dlen); + ptr = *dest; + } + memcpy(ptr, src, slen); + *(ptr + slen) = '\0'; + + return rc; +} + /***************************************************************************/ /* Print routines */ /***************************************************************************/ @@ -104,9 +141,14 @@ acl_print_acllib_err (NSErr_t *errp , char * str) aclErrorFmt(errp, msgbuf, ACLUTIL_ACLLIB_MSGBUF_LEN, 1); msgbuf[ACLUTIL_ACLLIB_MSGBUF_LEN-1] = '\0'; - if (msgbuf) - slapi_log_error(SLAPI_LOG_ACL, plugin_name,"ACL LIB ERR:(%s)(%s)\n", - msgbuf, str ? str: "NULL"); + if (strlen(msgbuf) > 0) { + slapi_log_error(SLAPI_LOG_ACL, plugin_name,"ACL LIB ERR:(%s)(%s)\n", + msgbuf, str ? str: "NULL"); + } else { + slapi_log_error(SLAPI_LOG_ACL, plugin_name,"ACL LIB ERR:(%s)\n", + str ? str: "NULL"); + } + } void aclutil_print_aci (aci_t *aci_item, char *type) @@ -240,7 +282,7 @@ aclutil_print_err (int rv , const Slapi_DN *sdn, const struct berval* val, if (errbuf) { /* If a buffer is provided, then copy the error */ - aclutil_str_appened(errbuf, lineptr ); + aclutil_str_append(errbuf, lineptr ); } slapi_log_error( SLAPI_LOG_FATAL, plugin_name, "%s", lineptr); @@ -436,7 +478,7 @@ acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf) line = PR_smprintf( "Insufficient 'delete' privilege to delete the entry '%s'.\n",edn); } - aclutil_str_appened(errbuf, line ); + aclutil_str_append(errbuf, line ); if (line) { PR_smprintf_free(line); @@ -540,7 +582,7 @@ aclutil_expand_paramString ( char *str, Slapi_Entry *e ) goto cleanup; } *p = '\0'; - aclutil_str_appened ( &buf,a_dns[i]); + aclutil_str_append ( &buf,a_dns[i]); if ( type == 1 ) { /* xyz = $dn.o */ @@ -573,15 +615,15 @@ aclutil_expand_paramString ( char *str, Slapi_Entry *e ) kk= slapi_attr_next_value( attr, kk, &sval ); if ( kk != -1 ) /* can't handle multiple --error */ goto cleanup; + attrValue = slapi_value_get_berval ( t_sval ); + attrVal = attrValue->bv_val; } - attrValue = slapi_value_get_berval ( t_sval ); - attrVal = attrValue->bv_val; } } else { attrVal = a_dns[i]; } - aclutil_str_appened ( &buf, attrVal); - aclutil_str_appened ( &buf, ","); + aclutil_str_append ( &buf, attrVal); + aclutil_str_append ( &buf, ","); } rc = 0; /* everything is okay*/ /* remove the last comma */ @@ -607,7 +649,7 @@ __aclutil_extract_dn_component ( char **e_dns, int position, char *attrName ) int i, matched, len; char *s; - int matchedPosition; + int matchedPosition = 0; len = strlen ( attrName ); diff --git a/ldap/servers/plugins/chainingdb/cb_config.c b/ldap/servers/plugins/chainingdb/cb_config.c index 1dab8462..5659353c 100644 --- a/ldap/servers/plugins/chainingdb/cb_config.c +++ b/ldap/servers/plugins/chainingdb/cb_config.c @@ -63,24 +63,28 @@ int cb_config_add_dse_entries(cb_backend *cb, char **entries, char *string1, cha Slapi_PBlock *util_pb = NULL; int res, rc = 0; char entry_string[CB_BUFSIZE]; + char *dn = NULL; for(x = 0; strlen(entries[x]) > 0; x++) { util_pb = slapi_pblock_new(); PR_snprintf(entry_string, sizeof(entry_string), entries[x], string1, string2, string3); e = slapi_str2entry(entry_string, 0); + dn = slapi_ch_strdup(slapi_entry_get_dn(e)); /* for err msg */ slapi_add_entry_internal_set_pb(util_pb, e, NULL, cb->identity, 0); slapi_add_internal_pb(util_pb); slapi_pblock_get(util_pb, SLAPI_PLUGIN_INTOP_RESULT, &res); if ( LDAP_SUCCESS != res && LDAP_ALREADY_EXISTS != res ) { char ebuf[ BUFSIZ ]; - slapi_log_error(SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, + slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM, "Unable to add config entry (%s) to the DSE: %s\n", - escape_string(slapi_entry_get_dn(e), ebuf), + escape_string(dn, ebuf), ldap_err2string(res)); rc = res; slapi_pblock_destroy(util_pb); + slapi_ch_free_string(&dn); break; } + slapi_ch_free_string(&dn); slapi_pblock_destroy(util_pb); } return rc; @@ -161,7 +165,7 @@ int cb_config_load_dse_info(Slapi_PBlock * pb) { /* Get the default instance value entry if it exists */ /* else create it */ - + /* This dn is already normalized */ PR_snprintf(defaultDn,sizeof(defaultDn),"cn=default instance config,%s",cb->pluginDN); default_pb = slapi_pblock_new(); diff --git a/ldap/servers/plugins/chainingdb/cb_init.c b/ldap/servers/plugins/chainingdb/cb_init.c index 21a54d54..3b4f7a0b 100644 --- a/ldap/servers/plugins/chainingdb/cb_init.c +++ b/ldap/servers/plugins/chainingdb/cb_init.c @@ -82,7 +82,9 @@ chaining_back_init( Slapi_PBlock *pb ) /* Initialize misc. fields */ cb->config.rwl_config_lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "chaining_db"); - rc = slapi_pblock_set( pb, SLAPI_PLUGIN_PRIVATE, (void *) cb ); + rc = slapi_pblock_set( pb, SLAPI_PLUGIN_PRIVATE, (void *) cb ); + + /* These DNs are already normalized */ cb->pluginDN=slapi_ch_smprintf("cn=%s,%s",CB_PLUGIN_NAME,PLUGIN_BASE_DN); cb->configDN=slapi_ch_smprintf("cn=config,%s",cb->pluginDN); diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c index 1c08bd9f..73d5e019 100644 --- a/ldap/servers/plugins/chainingdb/cb_instance.c +++ b/ldap/servers/plugins/chainingdb/cb_instance.c @@ -153,10 +153,10 @@ cb_dont_allow_that(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, static char *cb_skeleton_entries[] = { - "dn:cn=monitor, cn=%s, cn=%s, cn=plugins, cn=config\n" - "objectclass:top\n" - "objectclass:extensibleObject\n" - "cn:monitor\n", + "dn: cn=monitor,cn=%s,cn=%s,cn=plugins,cn=config\n" + "objectclass: top\n" + "objectclass: extensibleObject\n" + "cn: monitor\n", "" }; diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c index a14e48ce..b5aace63 100644 --- a/ldap/servers/plugins/cos/cos_cache.c +++ b/ldap/servers/plugins/cos/cos_cache.c @@ -69,6 +69,8 @@ #include <stdio.h> #include <string.h> +#include <ctype.h> + #include "portable.h" #include "slapi-plugin.h" @@ -324,6 +326,8 @@ static int cos_cache_vattr_compare(vattr_sp_handle *handle, vattr_context *c, Sl static int cos_cache_vattr_types(vattr_sp_handle *handle,Slapi_Entry *e,vattr_type_list_context *type_context,int flags); static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Slapi_Entry *e, char *type, Slapi_ValueSet **out_attr, Slapi_Value *test_this, int *result, int *ops); +static int hexchar2int( char c ); + /* compares s2 to s1 starting from end of string until the beginning of either matches result in the s2 value being clipped from s1 with a NULL char @@ -904,14 +908,29 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) { { /* get the parent of the definition */ - char *parent = slapi_dn_parent(pDn->val); - slapi_dn_normalize( parent ); + char *parent = NULL; + size_t plen = 0; + int rc = 0; + char *orig = slapi_dn_parent(pDn->val); + rc = slapi_dn_normalize_ext(orig, + 0, &parent, &plen); + if (rc < 0) { + LDAPDebug(LDAP_DEBUG_ANY, + "cos_cache_build_definition_list: failed to normalize parent dn %s. Adding the pre normalized dn.\n", orig, 0, 0); + parent = orig; + } else if (rc == 0) { + /* passed in. not terminated */ + *(parent + plen) = '\0'; + } cos_cache_add_attrval(&pCosTargetTree, parent); if(!pCosTemplateDn) cos_cache_add_attrval(&pCosTemplateDn, parent); - slapi_ch_free((void**)&parent); + if (orig != parent) { + slapi_ch_free_string(&orig); + } + slapi_ch_free_string(&parent); } slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL); @@ -1916,16 +1935,33 @@ static int cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAt theTemp = (cosTemplates*) slapi_ch_malloc(sizeof(cosTemplates)); if(theTemp) { - char *grade = (char*)slapi_ch_malloc(strlen(dn->val)+1); + char *grade = NULL; int grade_index = 0; int index = 0; + int lastindex = 0; int template_default = 0; - - slapi_dn_normalize(dn->val); + char *dnval = NULL; + size_t dnlen = 0; + int rc = 0; + + rc = slapi_dn_normalize_ext(dn->val, 0, &dnval, &dnlen); + if (rc < 0) { + LDAPDebug(LDAP_DEBUG_ANY, + "cos_cache_add_tmpl: failed to normalize dn %s. " + "Processing the pre normalized dn.\n", dn->val, 0, 0); + } else if (rc == 0) { + /* passed in. not terminated */ + *(dnval + dnlen) = '\0'; + } else { + slapi_ch_free_string(&dn->val); + dn->val = dnval; + } + grade = (char*)slapi_ch_malloc(strlen(dn->val)+1); /* extract the cos grade */ while(dn->val[index] != '=' && dn->val[index] != '\0') index++; + lastindex = strlen(dn->val) - 1; if(dn->val[index] == '=') { @@ -1945,7 +1981,29 @@ static int cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAt } else { - if(dn->val[index] != '\\') /* skip escape chars */ + if(dn->val[index] == '\\') + { + if ((index+2 <= lastindex) && isxdigit(dn->val[index+1]) && + isxdigit(dn->val[index+2])) { + /* Convert ESC HEX HEX to a real char */ + int n = hexchar2int(dn->val[index+1]); + int n2 = hexchar2int(dn->val[index+2]); + n = (n << 4) + n2; + if (n == 0) { /* don't change \00 */ + grade[grade_index] = dn->val[index++]; /* '\\' */ + grade_index++; + grade[grade_index] = dn->val[index++]; /* 0 */ + grade_index++; + grade[grade_index] = dn->val[index]; /* 0 */ + grade_index++; + } else { + grade[grade_index] = n; + index += 2; + grade_index++; + } + } /* else: skip escape chars */ + } + else { grade[grade_index] = dn->val[index]; grade_index++; @@ -2329,8 +2387,24 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Sl /* is this entry a child of the target tree(s)? */ do { - if(pTargetTree) - slapi_dn_normalize( pTargetTree->val ); + if(pTargetTree) { + int rc = 0; + char *tval = NULL; + size_t tlen = 0; + rc = slapi_dn_normalize_ext(pTargetTree->val, 0, &tval, &tlen); + if (rc < 0) { + LDAPDebug(LDAP_DEBUG_ANY, + "cos_cache_query_attr: failed to normalize dn %s. " + "Processing the pre normalized dn.\n", + pTargetTree->val, 0, 0); + } else if (rc == 0) { + /* passed in. not terminated */ + *(tval + tlen) = '\0'; + } else { + slapi_ch_free_string(&pTargetTree->val); + pTargetTree->val = tval; + } + } if( pTargetTree->val == 0 || slapi_dn_issuffix(pDn, pTargetTree->val) != 0 || @@ -2800,7 +2874,23 @@ static int cos_cache_index_all(cosCache *pCache) while(pAttrVal) { - slapi_dn_normalize(pAttrVal->val); + int rc = 0; + char *dnval = NULL; + size_t dnlen = 0; + rc = slapi_dn_normalize_ext(pAttrVal->val, 0, + &dnval, &dnlen); + if (rc < 0) { + LDAPDebug(LDAP_DEBUG_ANY, + "cos_cache_index_all: failed to normalize dn %s. " + "Processing the pre normalized dn.\n", + pAttrVal->val, 0, 0); + } else if (rc == 0) { + /* passed in. not terminated */ + *(dnval + dnlen) = '\0'; + } else { + slapi_ch_free_string(&pAttrVal->val); + pAttrVal->val = dnval; + } pCache->ppTemplateList[tmpindex] = pAttrVal->val; tmpindex++; @@ -3519,3 +3609,20 @@ static int cos_cache_entry_is_cos_related( Slapi_Entry *e) { } return(rc); } + +/* copied from dn.c */ +static int +hexchar2int( char c ) +{ + if ( '0' <= c && c <= '9' ) { + return( c - '0' ); + } + if ( 'a' <= c && c <= 'f' ) { + return( c - 'a' + 10 ); + } + if ( 'A' <= c && c <= 'F' ) { + return( c - 'A' + 10 ); + } + return( -1 ); +} + diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c index b8922d9d..94c4ab38 100644 --- a/ldap/servers/plugins/dna/dna.c +++ b/ldap/servers/plugins/dna/dna.c @@ -680,7 +680,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply) } entry = (struct configEntry *) - slapi_ch_calloc(1, sizeof(struct configEntry)); + slapi_ch_calloc(1, sizeof(struct configEntry)); if (NULL == entry) { ret = DNA_FAILURE; goto bail; @@ -787,7 +787,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply) if (value) { /* TODO - Allow multiple scope settings for a single range. This may * make ordering the scopes tough when we put them in the clist. */ - entry->scope = slapi_dn_normalize(value); + entry->scope = value; } else { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_parse_config_entry: The %s config " @@ -817,6 +817,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply) if (value) { Slapi_Entry *shared_e = NULL; Slapi_DN *sdn = NULL; + char *normdn = NULL; sdn = slapi_sdn_new_dn_byref(value); @@ -840,15 +841,29 @@ dna_parse_config_entry(Slapi_Entry * e, int apply) shared_e = NULL; } - entry->shared_cfg_base = slapi_ch_strdup(value); - slapi_dn_normalize(entry->shared_cfg_base); + normdn = slapi_create_dn_string("%s", value); + if (NULL == normdn) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_parse_config_entry: failed to normalize dn: " + "%s\n", value); + ret = DNA_FAILURE; + goto bail; + } + entry->shared_cfg_base = normdn; /* We prepend the host & port of this instance as a * multi-part RDN for the shared config entry. */ - entry->shared_cfg_dn = slapi_ch_smprintf("%s=%s+%s=%s,%s", DNA_HOSTNAME, - hostname, DNA_PORTNUM, portnum, value); - slapi_ch_free_string(&value); - slapi_dn_normalize(entry->shared_cfg_dn); + normdn = slapi_create_dn_string("%s=%s+%s=%s,%s", DNA_HOSTNAME, + hostname, DNA_PORTNUM, portnum, normdn); + if (NULL == normdn) { + slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, + "dna_parse_config_entry: failed to create dn: " + "%s=%s+%s=%s,%s", DNA_HOSTNAME, + hostname, DNA_PORTNUM, portnum, value); + ret = DNA_FAILURE; + goto bail; + } + entry->shared_cfg_dn = normdn; slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, "----------> %s [%s]\n", DNA_SHARED_CFG_DN, @@ -1680,8 +1695,6 @@ static char *dna_get_dn(Slapi_PBlock * pb) goto bail; } -/* slapi_dn_normalize( dn ); -*/ bail: slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, "<-- dna_get_dn\n"); @@ -2310,7 +2323,14 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn) * the shared config. We need to see what the configured * replica bind DN is. */ if (be_suffix) { - replica_dn = slapi_ch_smprintf("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", be_suffix); + /* This function converts the old DN style to the new one. */ + replica_dn = slapi_create_dn_string("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", be_suffix); + if (NULL == replica_dn) { + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "dna_is_replica_bind_dn: failed to create " + "replica dn for %s\n", be_suffix); + return 1; + } replica_sdn = slapi_sdn_new_dn_passin(replica_dn); attrs[0] = DNA_REPL_BIND_DN; @@ -2370,8 +2390,15 @@ static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server, /* Fetch the replication agreement entry */ if (be_suffix) { - replica_dn = slapi_ch_smprintf("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", - be_suffix); + /* This function converts the old DN style to the new one. */ + replica_dn = slapi_create_dn_string("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", be_suffix); + if (NULL == replica_dn) { + slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "dna_get_replica_bind_creds: failed to create " + "replica dn for %s\n", be_suffix); + ret = LDAP_PARAM_ERROR; + goto bail; + } filter = slapi_ch_smprintf("(&(nsds5ReplicaHost=%s)(|(" DNA_REPL_PORT "=%u)" "(" DNA_REPL_PORT "=%u)))", diff --git a/ldap/servers/plugins/linkedattrs/fixup_task.c b/ldap/servers/plugins/linkedattrs/fixup_task.c index 50d35d0e..d5505709 100644 --- a/ldap/servers/plugins/linkedattrs/fixup_task.c +++ b/ldap/servers/plugins/linkedattrs/fixup_task.c @@ -80,9 +80,9 @@ linked_attrs_fixup_task_add(Slapi_PBlock *pb, Slapi_Entry *e, goto out; } - if (linkdn) { + if (linkdn) { mytaskdata->linkdn = slapi_dn_normalize(slapi_ch_strdup(linkdn)); - } + } /* allocate new task now */ task = slapi_new_task(slapi_entry_get_ndn(e)); diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c index e9d64fe4..ba142033 100644 --- a/ldap/servers/plugins/mep/mep.c +++ b/ldap/servers/plugins/mep/mep.c @@ -88,7 +88,6 @@ static int mep_modrdn_pre_op(Slapi_PBlock *pb); static int mep_load_config(); static void mep_delete_config(); static int mep_parse_config_entry(Slapi_Entry * e, int apply); -static void mep_insert_config_index(struct configEntry *entry); static void mep_free_config_entry(struct configEntry ** entry); /* @@ -949,7 +948,6 @@ mep_create_managed_entry(struct configEntry *config, Slapi_Entry *origin) Slapi_Entry *template = NULL; char *rdn_type = NULL; char **vals = NULL; - char *p = NULL; char *type = NULL; char *value = NULL; int vlen = 0; @@ -1055,7 +1053,7 @@ mep_create_managed_entry(struct configEntry *config, Slapi_Entry *origin) /* Create the DN using the mapped RDN value * and the base specified in the config. */ - dn = slapi_ch_smprintf("%s=%s,%s", rdn_type, rdn_val, config->managed_base); + dn = slapi_create_dn_string("%s=%s,%s", rdn_type, rdn_val, config->managed_base); slapi_ch_free_string(&rdn_val); diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c index 65c6b2a9..cef3ee37 100644 --- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c +++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c @@ -89,7 +89,7 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd ) memset( quick_dbhash, 0, sizeof(quick_dbhash) ); } - hashresult = PL_Base64Decode( dbpwd, 0, (char *)dbhash ); + hashresult = PL_Base64Decode( dbpwd, 0, dbhash ); if (NULL == hashresult) { slapi_log_error( SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME, "smd5_pw_cmp: userPassword \"%s\" is the wrong length " @@ -139,7 +139,7 @@ smd5_pw_enc( const char *pwd ) memset( hash_out, 0, sizeof(hash_out) ); /* generate a new random salt */ - slapi_rand_array( salt, MD5_DEFAULT_SALT_LENGTH ); + slapi_rand_array( (void *)salt, MD5_DEFAULT_SALT_LENGTH ); saltval.bv_val = (void*)salt; saltval.bv_len = MD5_DEFAULT_SALT_LENGTH; diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c index b459a7ac..0f1598db 100644 --- a/ldap/servers/plugins/referint/referint.c +++ b/ldap/servers/plugins/referint/referint.c @@ -385,6 +385,7 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */ /* no need to free superior */ superior = slapi_dn_find_parent(origDN); } + /* newRDN and superior are already normalized. */ newDN = slapi_ch_smprintf("%s,%s", newRDN, superior); /* * Compare the modified dn with the value of @@ -409,9 +410,19 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */ nval != -1; nval = slapi_attr_next_value(attr, nval, &v)) { char *p = NULL; + size_t dnlen = 0; /* DN syntax, which should be a string */ sval = slapi_ch_strdup(slapi_value_get_string(v)); - slapi_dn_normalize_case(sval); + rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen); + if (rc == 0) { /* sval is passed in; not terminated */ + *(p + dnlen) = '\0'; + sval = p; + } else if (rc > 0) { + slapi_ch_free_string(&sval); + sval = p; + } + /* else: (rc < 0) Ignore the DN normalization error for now. */ + p = PL_strstr(sval, norm_origDN); if (p == sval) { /* (case 1) */ @@ -448,6 +459,7 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */ bak = *p; *p = '\0'; + /* newRDN and superior are already normalized. */ newvalue = slapi_ch_smprintf("%s%s", sval, newDN); *p = bak; values_add[0]=newvalue; @@ -579,9 +591,19 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */ nval != -1; nval = slapi_attr_next_value(attr, nval, &v)) { char *p = NULL; + size_t dnlen = 0; /* DN syntax, which should be a string */ sval = slapi_ch_strdup(slapi_value_get_string(v)); - slapi_dn_normalize_case(sval); + rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen); + if (rc == 0) { /* sval is passed in; not terminated */ + *(p + dnlen) = '\0'; + sval = p; + } else if (rc > 0) { + slapi_ch_free_string(&sval); + sval = p; + } + /* else: (rc < 0) Ignore the DN normalization error for now. */ + p = PL_strstr(sval, norm_origDN); if (p == sval) { /* (case 1) */ @@ -632,6 +654,7 @@ update_integrity(char **argv, char *origDN, int i, j; const char *search_base = NULL; char *norm_origDN = NULL; + size_t dnlen = 0; int rc; if ( argv == NULL ) { @@ -644,8 +667,14 @@ update_integrity(char **argv, char *origDN, /* for now, just putting attributes to keep integrity on in conf file, until resolve the other timing mode issue */ - norm_origDN = slapi_ch_strdup(origDN); - slapi_dn_normalize_case(norm_origDN); + rc = slapi_dn_normalize_case_ext(origDN, 0, &norm_origDN, &dnlen); + if (rc == 0) { /* origDN is passed in; not terminated */ + *(norm_origDN + dnlen) = '\0'; + norm_origDN = slapi_ch_strdup(norm_origDN); + } else if (rc < 0) { + /* Ignore the DN normalization error for now. */ + norm_origDN = slapi_ch_strdup(origDN); + } search_result_pb = slapi_pblock_new(); diff --git a/ldap/servers/plugins/replication/legacy_consumer.c b/ldap/servers/plugins/replication/legacy_consumer.c index 97745278..8a47e800 100644 --- a/ldap/servers/plugins/replication/legacy_consumer.c +++ b/ldap/servers/plugins/replication/legacy_consumer.c @@ -83,6 +83,7 @@ static void legacy_consumer_encode_pw (Slapi_Entry *e); static void set_legacy_purl (Slapi_PBlock *pb, const char *purl); static int get_legacy_referral (Slapi_Entry *e, char **referral, char **state); +/* LEGACY_CONSUMER_CONFIG_DN is no need to be normalized. */ #define LEGACY_CONSUMER_CONFIG_DN "cn=legacy consumer," REPL_CONFIG_TOP #define LEGACY_CONSUMER_FILTER "(objectclass=*)" diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h index c6859ddb..6be21ceb 100644 --- a/ldap/servers/plugins/replication/repl5.h +++ b/ldap/servers/plugins/replication/repl5.h @@ -319,8 +319,8 @@ char **agmt_validate_replicated_attributes(Repl_Agmt *ra); void* agmt_get_priv (const Repl_Agmt *agmt); void agmt_set_priv (Repl_Agmt *agmt, void* priv); - int get_agmt_agreement_type ( Repl_Agmt *agmt); +int agmt_has_protocol(Repl_Agmt *agmt); typedef struct replica Replica; diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c index 13db1acd..f60da022 100644 --- a/ldap/servers/plugins/replication/repl5_agmt.c +++ b/ldap/servers/plugins/replication/repl5_agmt.c @@ -2216,13 +2216,21 @@ agmt_get_consumer_rid ( Repl_Agmt *agmt, void *conn ) { if ( agmt->consumerRID <= 0 ) { - char mapping_tree_node[512]; + char *mapping_tree_node = NULL; struct berval **bvals = NULL; - PR_snprintf ( mapping_tree_node, - sizeof (mapping_tree_node), - "cn=replica,cn=\"%s\",cn=mapping tree,cn=config", - slapi_sdn_get_dn (agmt->replarea) ); + + /* This function converts the old style DN to the new one. */ + mapping_tree_node = + slapi_create_dn_string("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", + slapi_sdn_get_dn (agmt->replarea) ); + if (NULL == mapping_tree_node) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "agmt_get_consumer_rid: failed to normalize " + "replica dn for %s\n", + slapi_sdn_get_dn (agmt->replarea)); + agmt->consumerRID = 0; + } conn_read_entry_attribute ( conn, mapping_tree_node, "nsDS5ReplicaID", &bvals ); if ( NULL != bvals && NULL != bvals[0] ) { char *ridstr = slapi_ch_malloc( bvals[0]->bv_len + 1 ); @@ -2232,6 +2240,7 @@ agmt_get_consumer_rid ( Repl_Agmt *agmt, void *conn ) slapi_ch_free ( (void**) &ridstr ); ber_bvecfree ( bvals ); } + slapi_ch_free_string(&mapping_tree_node); } return agmt->consumerRID; diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c index 510757b6..f9aa610d 100644 --- a/ldap/servers/plugins/replication/repl5_agmtlist.c +++ b/ldap/servers/plugins/replication/repl5_agmtlist.c @@ -50,7 +50,8 @@ #include "repl5.h" #include <plstr.h> -#define AGMT_CONFIG_BASE "cn=mapping tree, cn=config" +/* normalized DN */ +#define AGMT_CONFIG_BASE "cn=mapping tree,cn=config" #define CONFIG_FILTER "(objectclass=nsds5replicationagreement)" #define WINDOWS_CONFIG_FILTER "(objectclass=nsdsWindowsreplicationagreement)" #define GLOBAL_CONFIG_FILTER "(|" CONFIG_FILTER WINDOWS_CONFIG_FILTER " )" diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c index 31f6072b..b1ff730d 100644 --- a/ldap/servers/plugins/replication/repl5_protocol.c +++ b/ldap/servers/plugins/replication/repl5_protocol.c @@ -173,7 +173,6 @@ void prot_free(Repl_Protocol **rpp) { Repl_Protocol *rp = NULL; - PRIntervalTime interval; if (rpp == NULL || *rpp == NULL) return; diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c index f669900f..0d2f1956 100644 --- a/ldap/servers/plugins/replication/repl5_replica.c +++ b/ldap/servers/plugins/replication/repl5_replica.c @@ -1528,6 +1528,12 @@ _replica_get_config_entry (const Slapi_DN *root) Slapi_PBlock *pb = NULL; dn = _replica_get_config_dn (root); + if (NULL == dn) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "_replica_get_config_entry: failed to get the config dn for %s\n", + slapi_sdn_get_dn (root)); + return NULL; + } pb = slapi_pblock_new (); slapi_search_internal_set_pb (pb, dn, LDAP_SCOPE_BASE, "objectclass=*", NULL, 0, NULL, @@ -1839,8 +1845,9 @@ _replica_get_config_dn (const Slapi_DN *root) PR_ASSERT (root); - dn = slapi_ch_smprintf("%s,cn=\"%s\",%s", REPLICA_RDN, slapi_sdn_get_dn (root), mp_base); - + /* This function converts the old style DN to the new style. */ + dn = slapi_create_dn_string("%s,cn=\"%s\",%s", + REPLICA_RDN, slapi_sdn_get_dn (root), mp_base); return dn; } @@ -2162,6 +2169,13 @@ _replica_update_state (time_t when, void *arg) r->repl_csn_assigned = PR_FALSE; dn = _replica_get_config_dn (r->repl_root); + if (NULL == dn) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "_replica_update_state: failed to get the config dn for %s\n", + slapi_sdn_get_dn (r->repl_root)); + PR_Unlock(r->repl_lock); + goto done; + } pb = slapi_pblock_new(); mods[0] = (LDAPMod*)slapi_mod_get_ldapmod_byref(&smod); @@ -3057,6 +3071,14 @@ replica_replace_ruv_tombstone(Replica *r) ruv_last_modified_to_smod ((RUV*)object_get_data(r->repl_ruv), &smod_last_modified); dn = _replica_get_config_dn (r->repl_root); + if (NULL == dn) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "replica_replace_ruv_tombstone: " + "failed to get the config dn for %s\n", + slapi_sdn_get_dn (r->repl_root)); + PR_Unlock(r->repl_lock); + goto bail; + } mods[0] = (LDAPMod*)slapi_mod_get_ldapmod_byref(&smod); mods[1] = (LDAPMod*)slapi_mod_get_ldapmod_byref(&smod_last_modified); @@ -3090,6 +3112,7 @@ replica_replace_ruv_tombstone(Replica *r) slapi_ch_free ((void**)&dn); slapi_pblock_destroy (pb); +bail: slapi_mod_done (&smod); slapi_mod_done (&smod_last_modified); } diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c index af5b6cd7..80b53616 100644 --- a/ldap/servers/plugins/replication/repl5_replica_config.c +++ b/ldap/servers/plugins/replication/repl5_replica_config.c @@ -47,6 +47,7 @@ #include "repl5.h" #include "cl5_api.h" +/* CONFIG_BASE: no need to optimize */ #define CONFIG_BASE "cn=mapping tree,cn=config" #define CONFIG_FILTER "(objectclass=nsDS5Replica)" #define TASK_ATTR "nsds5Task" diff --git a/ldap/servers/plugins/replication/repl_init.c b/ldap/servers/plugins/replication/repl_init.c index 5c897595..7a7c32cd 100644 --- a/ldap/servers/plugins/replication/repl_init.c +++ b/ldap/servers/plugins/replication/repl_init.c @@ -207,6 +207,7 @@ legacy_entry_init( Slapi_PBlock *pb ) static int create_config_top() { + /* DN part of this entry_string: no need to be optimized. */ char *entry_string = slapi_ch_strdup("dn: cn=replication,cn=config\nobjectclass: top\nobjectclass: extensibleobject\ncn: replication\n"); Slapi_PBlock *pb = slapi_pblock_new(); Slapi_Entry *e = slapi_str2entry(entry_string, 0); diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c index 556dede2..aedd6165 100644 --- a/ldap/servers/plugins/retrocl/retrocl.c +++ b/ldap/servers/plugins/retrocl/retrocl.c @@ -266,6 +266,7 @@ char *retrocl_get_config_str(const char *attrt) int rc = 0; char *dn; + /* RETROCL_PLUGIN_DN is no need to be normalized. */ dn = RETROCL_PLUGIN_DN; pb = slapi_pblock_new(); diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c index 88974b72..1ffdaae9 100644 --- a/ldap/servers/plugins/retrocl/retrocl_create.c +++ b/ldap/servers/plugins/retrocl/retrocl_create.c @@ -77,6 +77,7 @@ static int retrocl_create_be(const char *bedir) vals[1] = NULL; e = slapi_entry_alloc(); + /* RETROCL_LDBM_DN is no need to be normalized. */ slapi_entry_set_dn(e,slapi_ch_strdup(RETROCL_LDBM_DN)); /* Set the objectclass attribute */ @@ -142,6 +143,7 @@ static int retrocl_create_be(const char *bedir) /* we need the changenumber indexed */ e = slapi_entry_alloc(); + /* RETROCL_INDEX_DN is no need to be normalized. */ slapi_entry_set_dn(e,slapi_ch_strdup(RETROCL_INDEX_DN)); /* Set the objectclass attribute */ @@ -210,6 +212,7 @@ int retrocl_create_config(void) struct berval *vals[2]; struct berval val; int rc; + char *mappingtree_dn = NULL; vals[0] = &val; vals[1] = NULL; @@ -219,7 +222,15 @@ int retrocl_create_config(void) * in the errors file when the referenced backend does not exist. */ e = slapi_entry_alloc(); - slapi_entry_set_dn(e,slapi_ch_strdup(RETROCL_MAPPINGTREE_DN)); + /* This function converts the old DN style to the new one. */ + mappingtree_dn = slapi_create_dn_string("%s", RETROCL_MAPPINGTREE_DN); + if (NULL == mappingtree_dn) { + slapi_log_error (SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, + "retrocl_create_config: failed to normalize " + "mappingtree dn %s\n", RETROCL_MAPPINGTREE_DN); + return LDAP_PARAM_ERROR; + } + slapi_entry_set_dn(e, mappingtree_dn); /* mappingtree_dn is consumed */ /* Set the objectclass attribute */ val.bv_val = "top"; diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c index 9b338335..21ff5d1b 100644 --- a/ldap/servers/plugins/syntaxes/string.c +++ b/ldap/servers/plugins/syntaxes/string.c @@ -63,6 +63,7 @@ string_filter_ava( struct berval *bvfilter, Slapi_Value **bvals, int syntax, { int i, rc; struct berval bvfilter_norm; + char *alt = NULL; if(retVal) { *retVal = NULL; @@ -74,7 +75,12 @@ string_filter_ava( struct berval *bvfilter, Slapi_Value **bvals, int syntax, bvfilter_norm.bv_val = slapi_ch_malloc( bvfilter->bv_len + 1 ); SAFEMEMCPY( bvfilter_norm.bv_val, bvfilter->bv_val, bvfilter->bv_len ); bvfilter_norm.bv_val[bvfilter->bv_len] = '\0'; - value_normalize( bvfilter_norm.bv_val, syntax, 1 /* trim leading blanks */ ); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( bvfilter_norm.bv_val, syntax, 1, &alt ); + if (alt) { + slapi_ch_free_string(&bvfilter_norm.bv_val); + bvfilter_norm.bv_val = alt; + } bvfilter_norm.bv_len = strlen(bvfilter_norm.bv_val); for ( i = 0; (bvals != NULL) && (bvals[i] != NULL); i++ ) { @@ -211,6 +217,7 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final, Operation *op = NULL; Slapi_Regex *re = NULL; const char *re_result = NULL; + char *alt = NULL; LDAPDebug( LDAP_DEBUG_FILTER, "=> string_filter_sub\n", 0, 0, 0 ); @@ -260,27 +267,45 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final, } if ( initial != NULL ) { - value_normalize( initial, syntax, 1 /* trim leading blanks */ ); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( initial, syntax, 1, &alt ); *p++ = '^'; - filter_strcpy_special_ext( p, initial, FILTER_STRCPY_ESCAPE_RECHARS ); + if (alt) { + filter_strcpy_special_ext( p, alt, FILTER_STRCPY_ESCAPE_RECHARS ); + slapi_ch_free_string(&alt); + } else { + filter_strcpy_special_ext( p, initial, FILTER_STRCPY_ESCAPE_RECHARS ); + } p = strchr( p, '\0' ); } if ( any != NULL ) { for ( i = 0; any[i] != NULL; i++ ) { - value_normalize( any[i], syntax, 0 /* DO NOT trim leading blanks */ ); + /* 3rd arg: 0 - DO NOT trim leading blanks */ + value_normalize_ext( any[i], syntax, 0, &alt ); /* ".*" + value */ *p++ = '.'; *p++ = '*'; - filter_strcpy_special_ext( p, any[i], FILTER_STRCPY_ESCAPE_RECHARS ); + if (alt) { + filter_strcpy_special_ext( p, alt, FILTER_STRCPY_ESCAPE_RECHARS ); + slapi_ch_free_string(&alt); + } else { + filter_strcpy_special_ext( p, any[i], FILTER_STRCPY_ESCAPE_RECHARS ); + } p = strchr( p, '\0' ); } } if ( final != NULL ) { - value_normalize( final, syntax, 0 /* DO NOT trim leading blanks */ ); + /* 3rd arg: 0 - DO NOT trim leading blanks */ + value_normalize_ext( final, syntax, 0, &alt ); /* ".*" + value */ *p++ = '.'; *p++ = '*'; - filter_strcpy_special_ext( p, final, FILTER_STRCPY_ESCAPE_RECHARS ); + if (alt) { + filter_strcpy_special_ext( p, alt, FILTER_STRCPY_ESCAPE_RECHARS ); + slapi_ch_free_string(&alt); + } else { + filter_strcpy_special_ext( p, final, FILTER_STRCPY_ESCAPE_RECHARS ); + } strcat( p, "$" ); } @@ -327,9 +352,15 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final, strcpy( tmpbuf, bvp->bv_val ); realval = tmpbuf; } - value_normalize( realval, syntax, 1 /* trim leading blanks */ ); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( realval, syntax, 1, &alt ); - tmprc = slapi_re_exec( re, realval, time_up ); + if (alt) { + tmprc = slapi_re_exec( re, alt, time_up ); + slapi_ch_free_string(&alt); + } else { + tmprc = slapi_re_exec( re, realval, time_up ); + } LDAPDebug( LDAP_DEBUG_TRACE, "re_exec (%s) %i\n", escape_string( realval, ebuf ), tmprc, 0 ); @@ -359,6 +390,7 @@ string_values2keys( Slapi_PBlock *pb, Slapi_Value **bvals, Slapi_Value **nbvals, **nbvlp; Slapi_Value **bvlp; char *w, *c, *p; + char *alt = NULL; if (NULL == ivals) { return 1; @@ -380,9 +412,16 @@ string_values2keys( Slapi_PBlock *pb, Slapi_Value **bvals, { c = slapi_ch_strdup(slapi_value_get_string(*bvlp)); /* if the NORMALIZED flag is set, skip normalizing */ - if (!(slapi_value_get_flags(*bvlp) & SLAPI_ATTR_FLAG_NORMALIZED)) - value_normalize( c, syntax, 1 /* trim leading blanks */ ); - *nbvlp = slapi_value_new_string_passin(c); + if (!(slapi_value_get_flags(*bvlp) & SLAPI_ATTR_FLAG_NORMALIZED)) { + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( c, syntax, 1, &alt ); + } + if (alt) { + slapi_ch_free_string(&c); + *nbvlp = slapi_value_new_string_passin(alt); + } else { + *nbvlp = slapi_value_new_string_passin(c); + } } *ivals = nbvals; break; @@ -470,14 +509,16 @@ string_values2keys( Slapi_PBlock *pb, Slapi_Value **bvals, for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { /* * Note: this calculation may err on the high side, - * because value_normalize(), which is called below + * because value_normalize_ext(), which is called below * before we actually create the substring keys, may - * reduce the length of the value in some cases. For - * example, spaces are removed when space insensitive - * strings are normalized. But it's okay for nsubs to - * be too big. Since the ivals array is NULL terminated, - * the only downside is that we allocate more space than - * we really need. + * reduce the length of the value in some cases or + * increase the length in other cases. For example, + * spaces are removed when space insensitive strings + * are normalized. Or if the value includes '\"' (2 bytes), + * it's normalized to '\22' (3 bytes). But it's okay + * for nsubs to be too big. Since the ivals array is + * NULL terminated, the only downside is that we + * allocate more space than we really need. */ nsubs += slapi_value_get_length(*bvlp) - substrlens[INDEX_SUBSTRMIDDLE] + 3; } @@ -489,8 +530,14 @@ string_values2keys( Slapi_PBlock *pb, Slapi_Value **bvals, bvdup= slapi_value_new(); for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { c = slapi_ch_strdup(slapi_value_get_string(*bvlp)); - value_normalize( c, syntax, 1 /* trim leading blanks */ ); - slapi_value_set_string_passin(bvdup, c); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( c, syntax, 1, &alt ); + if (alt) { + slapi_ch_free_string(&c); + slapi_value_set_string_passin(bvdup, alt); + } else { + slapi_value_set_string_passin(bvdup, c); + } bvp = slapi_value_get_berval(bvdup); @@ -554,6 +601,7 @@ string_assertion2keys_ava( size_t len; char *w, *c; Slapi_Value *tmpval=NULL; + char *alt = NULL; switch ( ftype ) { case LDAP_FILTER_EQUALITY_FAST: @@ -565,13 +613,23 @@ string_assertion2keys_ava( } memcpy(tmpval->bv.bv_val,slapi_value_get_string(val),len); tmpval->bv.bv_val[len]='\0'; - value_normalize(tmpval->bv.bv_val, syntax, 1 /* trim leading blanks */ ); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext(tmpval->bv.bv_val, syntax, 1, &alt ); + if (alt) { + slapi_ch_free_string(&tmpval->bv.bv_val); + tmpval->bv.bv_val = alt; + } tmpval->bv.bv_len=strlen(tmpval->bv.bv_val); break; case LDAP_FILTER_EQUALITY: (*ivals) = (Slapi_Value **) slapi_ch_malloc( 2 * sizeof(Slapi_Value *) ); (*ivals)[0] = slapi_value_dup( val ); - value_normalize( (*ivals)[0]->bv.bv_val, syntax, 1 /* trim leading blanks */ ); + /* 3rd arg: 1 - trim leading blanks */ + value_normalize_ext( (*ivals)[0]->bv.bv_val, syntax, 1, &alt ); + if (alt) { + slapi_ch_free_string(&(*ivals)[0]->bv.bv_val); + (*ivals)[0]->bv.bv_val = alt; + } (*ivals)[0]->bv.bv_len = strlen( (*ivals)[0]->bv.bv_val ); (*ivals)[1] = NULL; break; @@ -628,6 +686,10 @@ string_assertion2keys_sub( int localsublens[3] = {SUBBEGIN, SUBMIDDLE, SUBEND};/* default values */ int maxsublen; char *comp_buf = NULL; + char *altinit = NULL; + char **altany = NULL; + char *altfinal = NULL; + int anysize = 0; slapi_pblock_get(pb, SLAPI_SYNTAX_SUBSTRLENS, &substrlens); @@ -650,13 +712,17 @@ string_assertion2keys_sub( * First figure out how many keys we will return. The answer is based * on the length of each assertion value. Since normalization may * reduce the length (such as when spaces are removed from space - * insensitive strings), we call value_normalize() before checking + * insensitive strings), we call value_normalize_ext() before checking * the length. */ nsubs = 0; if ( initial != NULL ) { - value_normalize( initial, syntax, 0 /* do not trim leading blanks */ ); - initiallen = strlen( initial ); + /* 3rd arg: 0 - DO NOT trim leading blanks */ + value_normalize_ext( initial, syntax, 0, &altinit ); + if (NULL == altinit) { + altinit = initial; + } + initiallen = strlen( altinit ); if ( initiallen > substrlens[INDEX_SUBSTRBEGIN] - 2 ) { nsubs += 1; /* for the initial begin string key */ /* the rest of the sub keys are "any" keys for this case */ @@ -664,19 +730,31 @@ string_assertion2keys_sub( nsubs += initiallen - substrlens[INDEX_SUBSTRMIDDLE] + 1; } } else { - initial = NULL; /* save some work later */ + altinit = NULL; /* save some work later */ } } for ( i = 0; any != NULL && any[i] != NULL; i++ ) { - value_normalize( any[i], syntax, 0 /* do not trim leading blanks */ ); - len = strlen( any[i] ); + anysize++; + } + altany = (char **)slapi_ch_calloc(anysize + 1, sizeof(char *)); + for ( i = 0; any != NULL && any[i] != NULL; i++ ) { + /* 3rd arg: 0 - DO NOT trim leading blanks */ + value_normalize_ext( any[i], syntax, 0, &altany[i] ); + if (NULL == altany[i]) { + altany[i] = any[i]; + } + len = strlen( altany[i] ); if ( len >= substrlens[INDEX_SUBSTRMIDDLE] ) { nsubs += len - substrlens[INDEX_SUBSTRMIDDLE] + 1; } } if ( final != NULL ) { - value_normalize( final, syntax, 0 /* do not trim leading blanks */ ); - finallen = strlen( final ); + /* 3rd arg: 0 - DO NOT trim leading blanks */ + value_normalize_ext( final, syntax, 0, &altfinal ); + if (NULL == altfinal) { + altfinal = final; + } + finallen = strlen( altfinal ); if ( finallen > substrlens[INDEX_SUBSTREND] - 2 ) { nsubs += 1; /* for the final end string key */ /* the rest of the sub keys are "any" keys for this case */ @@ -684,7 +762,7 @@ string_assertion2keys_sub( nsubs += finallen - substrlens[INDEX_SUBSTRMIDDLE] + 1; } } else { - final = NULL; /* save some work later */ + altfinal = NULL; /* save some work later */ } } if ( nsubs == 0 ) { /* no keys to return */ @@ -703,21 +781,31 @@ string_assertion2keys_sub( nsubs = 0; comp_buf = (char *)slapi_ch_malloc(maxsublen + 1); - if ( initial != NULL ) { - substring_comp_keys( ivals, &nsubs, initial, initiallen, '^', syntax, + if ( altinit != NULL ) { + substring_comp_keys( ivals, &nsubs, altinit, initiallen, '^', syntax, comp_buf, substrlens ); + if (altinit != initial) { + slapi_ch_free_string(&altinit); + } } - for ( i = 0; any != NULL && any[i] != NULL; i++ ) { - len = strlen( any[i] ); + for ( i = 0; altany != NULL && altany[i] != NULL; i++ ) { + len = strlen( altany[i] ); if ( len < substrlens[INDEX_SUBSTRMIDDLE] ) { continue; } - substring_comp_keys( ivals, &nsubs, any[i], len, 0, syntax, + substring_comp_keys( ivals, &nsubs, altany[i], len, 0, syntax, comp_buf, substrlens ); + if (altany[i] != any[i]) { + slapi_ch_free_string(&altany[i]); + } } - if ( final != NULL ) { - substring_comp_keys( ivals, &nsubs, final, finallen, '$', syntax, + slapi_ch_free((void **)&altany); + if ( altfinal != NULL ) { + substring_comp_keys( ivals, &nsubs, altfinal, finallen, '$', syntax, comp_buf, substrlens ); + if (altfinal != final) { + slapi_ch_free_string(&final); + } } (*ivals)[nsubs] = NULL; slapi_ch_free_string(&comp_buf); diff --git a/ldap/servers/plugins/syntaxes/syntax.h b/ldap/servers/plugins/syntaxes/syntax.h index ec3d5f03..64942ec7 100644 --- a/ldap/servers/plugins/syntaxes/syntax.h +++ b/ldap/servers/plugins/syntaxes/syntax.h @@ -113,6 +113,7 @@ int string_assertion2keys_ava(Slapi_PBlock *pb,Slapi_Value *val,Slapi_Value ***i int string_assertion2keys_sub(Slapi_PBlock *pb,char *initial,char **any,char *final,Slapi_Value ***ivals,int syntax); int value_cmp(struct berval *v1,struct berval *v2,int syntax,int normalize); void value_normalize(char *s,int syntax,int trim_leading_blanks); +void value_normalize_ext(char *s,int syntax,int trim_leading_blanks, char **alt); char *first_word( char *s ); char *next_word( char *s ); diff --git a/ldap/servers/plugins/syntaxes/validate.c b/ldap/servers/plugins/syntaxes/validate.c index aab6d9c2..989137b5 100644 --- a/ldap/servers/plugins/syntaxes/validate.c +++ b/ldap/servers/plugins/syntaxes/validate.c @@ -362,7 +362,6 @@ int distinguishedname_validate( { int rc = 0; /* Assume value is valid */ char *val_copy = NULL; - int strict = 0; const char *p = begin; const char *last = NULL; @@ -377,17 +376,6 @@ int distinguishedname_validate( * attributeValue = string / hexstring */ - /* Check if we should be performing strict validation. */ - strict = config_get_dn_validate_strict(); - if (!strict) { - /* Create a normalized copy of the value to use - * for validation. The original value will be - * stored in the backend unmodified. */ - val_copy = PL_strndup(begin, end - begin + 1); - p = val_copy; - end = slapi_dn_normalize_to_end(val_copy, NULL) - 1; - } - /* Validate one RDN at a time in a loop. */ while (p <= end) { if ((rc = rdn_validate(p, end, &last)) != 0) { diff --git a/ldap/servers/plugins/syntaxes/value.c b/ldap/servers/plugins/syntaxes/value.c index f127b6b6..9b048f30 100644 --- a/ldap/servers/plugins/syntaxes/value.c +++ b/ldap/servers/plugins/syntaxes/value.c @@ -86,23 +86,40 @@ utf8isspace_fast( char* s ) ** Also note that this deviates from rfc 4517 INTEGER syntax, but we must ** support legacy clients for the time being */ +/* + * alt stores the normalized value in case the normalized value is longer + * than the original value. It may happen the value is DN. + */ void -value_normalize( +value_normalize_ext( char *s, int syntax, - int trim_spaces + int trim_spaces, + char **alt ) { char *head = s; char *d; int prevspace, curspace; + if (NULL == alt) { + return; + } + *alt = NULL; + if ( ! (syntax & SYNTAX_CIS) && ! (syntax & SYNTAX_CES) ) { return; } if ( syntax & SYNTAX_DN ) { - (void) slapi_dn_normalize_case( s ); + char *dest = NULL; + size_t dlen = 0; + int rc = slapi_dn_normalize_case_ext(s, 0, &dest, &dlen); + if (rc > 0) { + *alt = dest; + } else if (rc == 0) { /* normalized in line; not terminated */ + *(dest + dlen) = '\0'; + } return; } @@ -203,6 +220,16 @@ value_normalize( } } +void +value_normalize( + char *s, + int syntax, + int trim_spaces +) +{ + /* deprecated */ +} + int value_cmp( struct berval *v1, @@ -220,6 +247,7 @@ value_cmp( int free_v1 = 0; int free_v2 = 0; int v1sign = 1, v2sign = 1; /* default to positive */ + char *alt = NULL; /* This code used to call malloc up to four times in the copying * of attributes to be normalized. Now we attempt to keep everything @@ -233,13 +261,35 @@ value_cmp( bvcopy1.bv_val = &little_buffer[buffer_offset]; bvcopy1.bv_val[v1->bv_len] = '\0'; v1 = &bvcopy1; - buffer_space-= v1->bv_len+1; - buffer_offset+= v1->bv_len+1; } else { v1 = ber_bvdup( v1 ); free_v1 = 1; } - value_normalize( v1->bv_val, syntax, 1 /* trim leading blanks */ ); + value_normalize_ext( v1->bv_val, syntax, + 1 /* trim leading blanks */, &alt ); + if (alt) { + if (free_v1) { + slapi_ch_free_string(&v1->bv_val); + v1->bv_val = alt; + v1->bv_len = strlen(alt); + } else { + if (strlen(alt) < buffer_space) { + v1->bv_len = strlen(alt); + /* Copying to little_buffer */ + SAFEMEMCPY(v1->bv_val, alt, v1->bv_len); + *(v1->bv_val + v1->bv_len) = '\0'; + } else { + free_v1 = 1; + v1 = (struct berval *)slapi_ch_malloc(sizeof(struct berval)); + v1->bv_val = alt; + v1->bv_len = strlen(alt); + } + } + } + if (!free_v1) { + buffer_space -= v1->bv_len + 1; + buffer_offset += v1->bv_len + 1; + } } if ( normalize & 2 ) { /* Do we have space in the little buffer ? */ @@ -249,13 +299,35 @@ value_cmp( bvcopy2.bv_val = &little_buffer[buffer_offset]; bvcopy2.bv_val[v2->bv_len] = '\0'; v2 = &bvcopy2; - buffer_space-= v2->bv_len+1; - buffer_offset+= v2->bv_len+1; } else { v2 = ber_bvdup( v2 ); free_v2 = 1; } - value_normalize( v2->bv_val, syntax, 1 /* trim leading blanks */ ); + value_normalize_ext( v2->bv_val, syntax, + 1 /* trim leading blanks */, &alt ); + if (alt) { + if (free_v2) { + slapi_ch_free_string(&v2->bv_val); + v2->bv_val = alt; + v2->bv_len = strlen(alt); + } else { + if (strlen(alt) < buffer_space) { + v2->bv_len = strlen(alt); + /* Copying to little_buffer */ + SAFEMEMCPY(v2->bv_val, alt, v2->bv_len); + *(v2->bv_val + v2->bv_len) = '\0'; + } else { + free_v2 = 1; + v2 = (struct berval *)slapi_ch_malloc(sizeof(struct berval)); + v2->bv_val = alt; + v2->bv_len = strlen(alt); + } + } + } + if (!free_v2) { + buffer_space -= v2->bv_len + 1; + buffer_offset += v2->bv_len + 1; + } } if (syntax & SYNTAX_INT) { diff --git a/ldap/servers/plugins/usn/usn_cleanup.c b/ldap/servers/plugins/usn/usn_cleanup.c index bf13073a..1c92a5a1 100644 --- a/ldap/servers/plugins/usn/usn_cleanup.c +++ b/ldap/servers/plugins/usn/usn_cleanup.c @@ -194,8 +194,15 @@ _usn_cleanup_is_mmr_enabled(const char *suffix) char *base_dn = NULL; int rc = 0; /* disabled, by default */ - base_dn = slapi_ch_smprintf("cn=replica,cn=\"%s\",%s", - suffix, MAPPING_TREE_BASE_DN); + /* This function converts the old style DN to the new one */ + base_dn = slapi_create_dn_string("cn=replica,cn=\"%s\",%s", + suffix, MAPPING_TREE_BASE_DN); + if (NULL == base_dn) { + slapi_log_error(SLAPI_LOG_FATAL, USN_PLUGIN_SUBSYSTEM, + "_usn_cleanup_is_mmr_enabled: failed to normalize " + "mappingtree dn for %s\n", suffix); + return 1; + } search_pb = slapi_pblock_new(); slapi_search_internal_set_pb(search_pb, base_dn, LDAP_SCOPE_ONELEVEL, "objectclass=nsDS5ReplicationAgreement", |