From e05e107e674d59b1a9fde1b6b5996128f9f34cf8 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Wed, 29 Feb 2012 14:51:15 -0500 Subject: [PATCH] Ticket #291 - cannot use & in a sasl map search filter Bug Description: The '&' was getting replaced in slapi_re_subs() when processing search filter mappings. Fix Description: Created extension of slapi_re_subs() to pass in filter flag. It checks to see if the '&' is a separator of filter components or not, by looking for "(&(". https://fedorahosted.org/389/ticket/291 --- ldap/servers/slapd/regex.c | 28 +++++++++++++++++++++------- ldap/servers/slapd/sasl_map.c | 4 ++-- ldap/servers/slapd/slapi-plugin.h | 2 ++ 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/ldap/servers/slapd/regex.c b/ldap/servers/slapd/regex.c index b7445fe..3697fde 100644 --- a/ldap/servers/slapd/regex.c +++ b/ldap/servers/slapd/regex.c @@ -147,13 +147,21 @@ slapi_re_exec( Slapi_Regex *re_handle, const char *subject, time_t time_up ) */ int slapi_re_subs( Slapi_Regex *re_handle, const char *subject, - const char *src, char **dst, unsigned long dstlen ) + const char *src, char **dst, unsigned long dstlen) +{ + return slapi_re_subs_ext(re_handle, subject, src, dst, dstlen, 0 /* not a filter */); +} + +int +slapi_re_subs_ext( Slapi_Regex *re_handle, const char *subject, + const char *src, char **dst, unsigned long dstlen, int filter ) { int thislen = 0; int len = 0; int pin; int *ovector; char *mydst; + const char *prev, *next; const char *substring_start; const char *p; @@ -166,16 +174,21 @@ slapi_re_subs( Slapi_Regex *re_handle, const char *subject, ovector = re_handle->re_ovector; mydst = *dst; + prev = src; for (p = src; *p != '\0'; p++) { if ('&' == *p) { - if (re_handle->re_oveccount <= 1) { - memset(*dst, '\0', dstlen); - return -1; + /* Don't replace '&' if it's a filter AND: "(&(cn=a)(sn=b))" */ + next = p; + if(!filter || (*prev != '(' && *next++ != '(')){ + if (re_handle->re_oveccount <= 1) { + memset(*dst, '\0', dstlen); + return -1; + } + substring_start = subject + ovector[0]; + thislen = ovector[1] - ovector[0]; + len += thislen; } - substring_start = subject + ovector[0]; - thislen = ovector[1] - ovector[0]; - len += thislen; } else if (('\\' == *p) && ('0' <= *(p+1) && *(p+1) <= '9')) { pin = *(++p) - '0'; if (re_handle->re_oveccount <= 2*pin+1) { @@ -198,6 +211,7 @@ slapi_re_subs( Slapi_Regex *re_handle, const char *subject, } memcpy(mydst, substring_start, thislen); mydst += thislen; + prev = p; } *mydst = '\0'; return 0; diff --git a/ldap/servers/slapd/sasl_map.c b/ldap/servers/slapd/sasl_map.c index 1bdaa20..792504d 100644 --- a/ldap/servers/slapd/sasl_map.c +++ b/ldap/servers/slapd/sasl_map.c @@ -562,9 +562,9 @@ sasl_map_check(sasl_map_data *dp, char *sasl_user_and_realm, char **ldap_search_ slapi_ch_free_string(ldap_search_filter); } else { /* Substitutes '&' and/or "\#" in template_search_filter */ - rc = slapi_re_subs(re, sasl_user_and_realm, + rc = slapi_re_subs_ext(re, sasl_user_and_realm, dp->template_search_filter, ldap_search_filter, - ldap_search_filter_len); + ldap_search_filter_len, 1); if (0 != rc) { LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_check: slapi_re_subs failed: " diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index b4eb2a6..14e6d8f 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -6719,6 +6719,8 @@ int slapi_re_exec( Slapi_Regex *re_handle, const char *subject, time_t time_up ) * \warning The regex handler should be released by slapi_re_free(). */ int slapi_re_subs( Slapi_Regex *re_handle, const char *subject, const char *src, char **dst, unsigned long dstlen ); +/* extension to handle search filters properly */ +int slapi_re_subs_ext( Slapi_Regex *re_handle, const char *subject, const char *src, char **dst, unsigned long dstlen, int filter ); /** * Releases the regex handler which was returned from slapi_re_comp. * -- 1.7.1