Resolves: 288321

Summary: Handle poorly formatted DN's when normalizing.  Also only check modify values against authenticated DN for DN syntax attributes.

5 files changed, 51 insertions, 17 deletions

diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index bab002c2..ea1b17ab 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -235,7 +235,7 @@ acl_access_allowed(
 	Slapi_PBlock	    *pb,
 	Slapi_Entry	    *e,			/* The Slapi_Entry */
 	char				*attr,		/* Attribute of	the entry */
-	struct berval	    *val,		/* value of attr. NOT USED */
+	struct berval	    *val,		/* value of attr */
 	int		    access		/* requested access rights */
 	)
 {
@@ -341,21 +341,32 @@ acl_access_allowed(
 	acl_init_aclpb ( pb, aclpb, clientDn, 0	);
 	TNF_PROBE_0_DEBUG(acl_aclpbinit_end,"ACL","");
 
-
-	/* Here	we mean	if "I am trying	to add/delete "myself" ? " */
-	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0) ) {
-		/* should use slapi_sdn_compare() but that'a an extra malloc/free */
-		
-		char *dn_val_to_write =
-					slapi_dn_normalize(slapi_ch_strdup(val->bv_val)); 
-   
-     	if ( aclpb->aclpb_authorization_sdn && 
-				slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
-				slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
-			access |= SLAPI_ACL_SELF;
-         } 
+	/* Here	we mean	if "I am trying	to add/delete "myself" to a group, etc." We
+	 * basically just want to see if the value matches the DN of the user that
+	 * we're checking access for */
+	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0)) {
+		Slapi_Attr *sa = slapi_attr_new();
+		char *oid = NULL;
+
+		slapi_attr_init(sa, attr);
+		slapi_attr_get_syntax_oid_copy(sa, &oid);
+  
+		/* We only want to perform this check if the attribute is
+		 * defined using the DN syntax. */
+		if (oid && (strcasecmp(oid, DN_SYNTAX_OID) == 0)) { 
+			/* should use slapi_sdn_compare() but that'a an extra malloc/free */
+			char *dn_val_to_write = slapi_dn_normalize(slapi_ch_strdup(val->bv_val));
+			if ( aclpb->aclpb_authorization_sdn && 
+					slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
+					slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
+				access |= SLAPI_ACL_SELF;
+			} 
 	
-		slapi_ch_free( (void **)&dn_val_to_write);
+			slapi_ch_free_string(&dn_val_to_write);
+		}
+
+		slapi_ch_free_string(&oid);
+		slapi_attr_free(&sa);
 	}
 
 	/* Convert access to string of rights eg SLAPI_ACL_ADD->"add". */
diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
index 51661d79..1afa3c3d 100644
--- a/ldap/servers/slapd/attrsyntax.c
+++ b/ldap/servers/slapd/attrsyntax.c
@@ -731,6 +731,22 @@ slapi_attr_get_oid_copy( const Slapi_Attr *a, char **oidp )
 	}
 }
 
+/* Returns the oid of the syntax of the Slapi_Attr that's passed in.
+ * The caller must dispose of oid by calling slapi_ch_free_string(). */
+int
+slapi_attr_get_syntax_oid_copy( const Slapi_Attr *a, char **oidp )
+{
+	void *pi = NULL;
+
+	if (a && (slapi_attr_type2plugin(a->a_type, &pi) == 0)) {
+		*oidp = slapi_ch_strdup(plugin_syntax2oid(pi));
+		return( 0 );
+	} else {
+		*oidp = NULL;
+		return( -1 );
+	}
+}
+
 #ifdef ATTR_LDAP_DEBUG
 
 PRIntn
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 70e9bc25..45cf142c 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -342,7 +342,13 @@ substr_dn_normalize( char *dn, char *end )
 	/*
 	 * Track and sort attribute values within multivalued RDNs.
 	 */
-	if ( rdn_av_count > 0 ) {
+	/* We may still be in an unexpected state, such as B4TYPE if
+	 * we encountered something odd like a '+' at the end of the
+	 * rdn.  If this is the case, we don't want to add this bogus
+	 * rdn to our list to sort.  We should only be in the INVALUE
+	 * or B4SEPARATOR state if we have a valid rdn component to 
+	 * be added. */
+	if ((rdn_av_count > 0) && ((state == INVALUE) || (state == B4SEPARATOR))) {
 	    add_rdn_av( typestart, d, &rdn_av_count,
 		    &rdn_avs, initial_rdn_av_stack );
 	}
@@ -352,7 +358,6 @@ substr_dn_normalize( char *dn, char *end )
 	if ( rdn_av_count > 0 ) {
 	    reset_rdn_avs( &rdn_avs, &rdn_av_count );
 	}
-
 	/* Trim trailing spaces */
 	while ( d != dn && *(d - 1) == ' ' ) d--;  /* XXX 518524 */
 
diff --git a/ldap/servers/slapd/libslapd.def b/ldap/servers/slapd/libslapd.def
index df116647..bda133c7 100644
--- a/ldap/servers/slapd/libslapd.def
+++ b/ldap/servers/slapd/libslapd.def
@@ -1180,6 +1180,7 @@ EXPORTS
 	sasl_map_done @1179
 	slapd_SECITEM_FreeItem @1180
 	slapi_op_type_to_string @1181
+	slapi_attr_get_syntax_oid_copy @1182
 ; password syntax functions
         config_set_pw_mindigits @1190
         config_set_pw_minalphas @1191
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index b6b350d1..f7f6d08e 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -398,6 +398,7 @@ int slapi_attr_add_value(Slapi_Attr *a, const Slapi_Value *v);
 int slapi_attr_type2plugin( const char *type, void **pi );
 int slapi_attr_get_type( Slapi_Attr *attr, char **type );
 int slapi_attr_get_oid_copy( const Slapi_Attr *attr, char **oidp );
+int slapi_attr_get_syntax_oid_copy( const Slapi_Attr *a, char **oidp );
 int slapi_attr_get_flags( const Slapi_Attr *attr, unsigned long *flags );
 int slapi_attr_flag_is_set( const Slapi_Attr *attr, unsigned long flag );
 int slapi_attr_value_cmp( const Slapi_Attr *attr, const struct berval *v1, const struct berval *v2 );