|
 |
dc8c34 |
From 5c2848665791adf25f884fe942f310392fd88162 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Mon, 28 Jul 2014 09:42:43 -0700
|
|
|
dc8c34 |
Subject: [PATCH 242/243] Bug 1123477 - unauthenticated information disclosure
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: nscpentrywsi is returned only authenticated as root.
|
|
|
dc8c34 |
The bug was fixed by lkrispen@redhat.com (Ludwig Krispenz).
|
|
|
dc8c34 |
His patch was modified based upon this review comment.
|
|
|
dc8c34 |
https://bugzilla.redhat.com/show_bug.cgi?id=1123477#c2
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://bugzilla.redhat.com/show_bug.cgi?id=1123861
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit aa90e26d5c4ea47b2a4a22f99cf0742cf48b3fae)
|
|
|
dc8c34 |
(cherry picked from commit 394277fdcef70078b54a280de88ab06dd289cc7a)
|
|
|
dc8c34 |
(cherry picked from commit fbb9bf0b37fdaec0856b9c78373a0fb1fa07a1dd)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/computed.c | 17 +++++++++++++++--
|
|
|
dc8c34 |
ldap/servers/slapd/entrywsi.c | 2 +-
|
|
|
dc8c34 |
ldap/servers/slapd/slapi-plugin.h | 1 +
|
|
|
dc8c34 |
3 files changed, 17 insertions(+), 3 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/computed.c b/ldap/servers/slapd/computed.c
|
|
|
dc8c34 |
index 7c99b45..7a80c96 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/computed.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/computed.c
|
|
|
dc8c34 |
@@ -59,6 +59,7 @@ struct _computed_attr_context {
|
|
|
dc8c34 |
struct _compute_evaluator {
|
|
|
dc8c34 |
struct _compute_evaluator *next;
|
|
|
dc8c34 |
slapi_compute_callback_t function;
|
|
|
dc8c34 |
+ int rootonly;
|
|
|
dc8c34 |
};
|
|
|
dc8c34 |
typedef struct _compute_evaluator compute_evaluator;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
@@ -95,6 +96,13 @@ int compute_call_evaluators_nolock(computed_attr_context *c,slapi_compute_output
|
|
|
dc8c34 |
compute_evaluator *current = NULL;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
for (current = compute_evaluators; (current != NULL) && (-1 == rc); current = current->next) {
|
|
|
dc8c34 |
+ if (current->rootonly) {
|
|
|
dc8c34 |
+ int isroot;
|
|
|
dc8c34 |
+ slapi_pblock_get(c->pb, SLAPI_REQUESTOR_ISROOT, &isroot);
|
|
|
dc8c34 |
+ if (!isroot) {
|
|
|
dc8c34 |
+ continue;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
rc = (*(current->function))(c,type,e,outfn);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
return rc;
|
|
|
dc8c34 |
@@ -157,14 +165,19 @@ compute_stock_evaluator(computed_attr_context *c,char* type,Slapi_Entry *e,slapi
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
static void
|
|
|
dc8c34 |
-compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval)
|
|
|
dc8c34 |
+compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval, int rootonly)
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
new_eval->next = compute_evaluators;
|
|
|
dc8c34 |
new_eval->function = function;
|
|
|
dc8c34 |
+ new_eval->rootonly = rootonly;
|
|
|
dc8c34 |
compute_evaluators = new_eval;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
int slapi_compute_add_evaluator(slapi_compute_callback_t function)
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
+ return slapi_compute_add_evaluator_ext(function, 0);
|
|
|
dc8c34 |
+}
|
|
|
dc8c34 |
+int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly)
|
|
|
dc8c34 |
+{
|
|
|
dc8c34 |
int rc = 0;
|
|
|
dc8c34 |
compute_evaluator *new_eval = NULL;
|
|
|
dc8c34 |
PR_ASSERT(NULL != function);
|
|
|
dc8c34 |
@@ -187,7 +200,7 @@ int slapi_compute_add_evaluator(slapi_compute_callback_t function)
|
|
|
dc8c34 |
slapi_rwlock_wrlock(compute_evaluators_lock);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- compute_add_evaluator_nolock(function, new_eval);
|
|
|
dc8c34 |
+ compute_add_evaluator_nolock(function, new_eval, rootonly);
|
|
|
dc8c34 |
|
|
|
dc8c34 |
if (need_lock) {
|
|
|
dc8c34 |
slapi_rwlock_unlock(compute_evaluators_lock);
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
|
|
|
dc8c34 |
index 8cee986..f184c7f 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/entrywsi.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/entrywsi.c
|
|
|
dc8c34 |
@@ -864,7 +864,7 @@ entry_compute_nscpentrywsi(computed_attr_context *c,char* type,Slapi_Entry *e,sl
|
|
|
dc8c34 |
int
|
|
|
dc8c34 |
entry_computed_attr_init()
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
- slapi_compute_add_evaluator(entry_compute_nscpentrywsi);
|
|
|
dc8c34 |
+ slapi_compute_add_evaluator_ext(entry_compute_nscpentrywsi, 1 /* root only */);
|
|
|
dc8c34 |
return 0;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
|
|
|
dc8c34 |
index c13a1a8..34962e2 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/slapi-plugin.h
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/slapi-plugin.h
|
|
|
dc8c34 |
@@ -6010,6 +6010,7 @@ typedef int (*slapi_compute_output_t)(computed_attr_context *c,Slapi_Attr *a , S
|
|
|
dc8c34 |
typedef int (*slapi_compute_callback_t)(computed_attr_context *c,char* type,Slapi_Entry *e,slapi_compute_output_t outputfn);
|
|
|
dc8c34 |
typedef int (*slapi_search_rewrite_callback_t)(Slapi_PBlock *pb);
|
|
|
dc8c34 |
int slapi_compute_add_evaluator(slapi_compute_callback_t function);
|
|
|
dc8c34 |
+int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly);
|
|
|
dc8c34 |
int slapi_compute_add_search_rewriter(slapi_search_rewrite_callback_t function);
|
|
|
dc8c34 |
int compute_rewrite_search_filter(Slapi_PBlock *pb);
|
|
|
dc8c34 |
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.8.1.4
|
|
|
dc8c34 |
|