|
 |
dc8c34 |
From 16b2868a1314660f00afadaaf94a73e0346203e9 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
dc8c34 |
Date: Mon, 1 Jul 2013 14:25:16 -0400
|
|
|
dc8c34 |
Subject: [PATCH] CVE-2013-2219 ACLs inoperative in some search scenarios
|
|
|
dc8c34 |
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/plugins/acl/acl.c | 6 +++++-
|
|
|
dc8c34 |
ldap/servers/plugins/acl/acl.h | 1 +
|
|
|
dc8c34 |
ldap/servers/plugins/acl/aclutil.c | 11 +++++++++++
|
|
|
dc8c34 |
ldap/servers/slapd/filterentry.c | 14 ++++++++++----
|
|
|
dc8c34 |
4 files changed, 27 insertions(+), 5 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
|
|
|
dc8c34 |
index 3389404..4516cf8 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/acl.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/acl.c
|
|
|
dc8c34 |
@@ -2136,7 +2136,11 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *
|
|
|
dc8c34 |
* calculated from the targetdn and stored judiciously there
|
|
|
dc8c34 |
*/
|
|
|
dc8c34 |
matched_val = (char *)acl_ht_lookup( aclpb->aclpb_macro_ht,
|
|
|
dc8c34 |
- (PLHashNumber)aci->aci_index);
|
|
|
dc8c34 |
+ (PLHashNumber)aci->aci_index);
|
|
|
dc8c34 |
+ } else {
|
|
|
dc8c34 |
+ /* new entry, remove macro evaluation from hash table */
|
|
|
dc8c34 |
+ acl_ht_remove_and_free( aclpb->aclpb_macro_ht,
|
|
|
dc8c34 |
+ (PLHashNumber)aci->aci_index);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
if ( matched_val == NULL &&
|
|
|
dc8c34 |
(aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS))) {
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
index 28c38e7..e2b04c3 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/acl.h
|
|
|
dc8c34 |
@@ -928,6 +928,7 @@ int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t sl
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* acl hash table functions */
|
|
|
dc8c34 |
void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value);
|
|
|
dc8c34 |
+void acl_ht_remove_and_free(acl_ht_t * acl_ht, PLHashNumber key);
|
|
|
dc8c34 |
acl_ht_t *acl_ht_new(void);
|
|
|
dc8c34 |
void acl_ht_free_all_entries_and_values( acl_ht_t *acl_ht);
|
|
|
dc8c34 |
void acl_ht_remove( acl_ht_t *acl_ht, PLHashNumber key);
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
|
|
|
dc8c34 |
index 7097540..77ec35f 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acl/aclutil.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acl/aclutil.c
|
|
|
dc8c34 |
@@ -1396,6 +1396,17 @@ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht,
|
|
|
dc8c34 |
PL_HashTableAdd( acl_ht, (const void *)pkey, value);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+void acl_ht_remove_and_free(acl_ht_t * acl_ht,
|
|
|
dc8c34 |
+ PLHashNumber key){
|
|
|
dc8c34 |
+ char *old_value = NULL;
|
|
|
dc8c34 |
+ uintptr_t pkey = (uintptr_t)key;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ if ( (old_value = (char *)acl_ht_lookup( acl_ht, key)) != NULL ) {
|
|
|
dc8c34 |
+ acl_ht_remove( acl_ht, key);
|
|
|
dc8c34 |
+ slapi_ch_free_string(&old_value);
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+}
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
/*
|
|
|
dc8c34 |
* Return a new acl_ht_t *
|
|
|
dc8c34 |
*/
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/filterentry.c b/ldap/servers/slapd/filterentry.c
|
|
|
dc8c34 |
index 549bac7..880169a 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/filterentry.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/filterentry.c
|
|
|
dc8c34 |
@@ -1037,8 +1037,11 @@ vattr_test_filter_list(
|
|
|
dc8c34 |
for ( f = flist; f != NULL; f = f->f_next ) {
|
|
|
dc8c34 |
if ( slapi_vattr_filter_test_ext_internal( pb, e, f, verify_access, only_check_access, access_check_done ) != 0 ) {
|
|
|
dc8c34 |
/* optimize AND evaluation */
|
|
|
dc8c34 |
- if ( ftype == LDAP_FILTER_AND ) {
|
|
|
dc8c34 |
- /* one false is failure */
|
|
|
dc8c34 |
+ if ( ftype == LDAP_FILTER_AND || verify_access) {
|
|
|
dc8c34 |
+ /* one false is failure
|
|
|
dc8c34 |
+ * for AND all components need to match
|
|
|
dc8c34 |
+ * and for AND and OR access to ALL filter attributes is required
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
nomatch = 1;
|
|
|
dc8c34 |
break;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
@@ -1046,8 +1049,11 @@ vattr_test_filter_list(
|
|
|
dc8c34 |
nomatch = 0;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* optimize OR evaluation too */
|
|
|
dc8c34 |
- if ( ftype == LDAP_FILTER_OR ) {
|
|
|
dc8c34 |
- /* only one needs to be true */
|
|
|
dc8c34 |
+ if ( ftype == LDAP_FILTER_OR && !verify_access) {
|
|
|
dc8c34 |
+ /* access to all atributes needs to be evaluated
|
|
|
dc8c34 |
+ * for filter matching
|
|
|
dc8c34 |
+ * only one needs to be true
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
break;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.7.1
|
|
|
dc8c34 |
|