andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame 0257-Ticket-47885-deref-plugin-should-not-return-referenc.patch

dc8c34
From e078332f8cf8dfeffde04ad6b79e4c0f48ced792 Mon Sep 17 00:00:00 2001
dc8c34
From: Ludwig Krispenz <lkrispen@redhat.com>
dc8c34
Date: Wed, 3 Sep 2014 13:44:17 +0200
dc8c34
Subject: [PATCH] Ticket 47885 - deref plugin should not return references with
dc8c34
 noc access rights
dc8c34
dc8c34
Bug Description:  deref shows derefernced entries for which th client doesn't
dc8c34
                  have access as dn and empty attribute list
dc8c34
dc8c34
Fix Description:   if client has no accesss to the derferernced entry then
dc8c34
                   omit it from the list in the deref control
dc8c34
                   In general, if no entries are returned don't send an empty control
dc8c34
dc8c34
https://fedorahosted.org/389/ticket/47885
dc8c34
dc8c34
Reviewed by: noriko, thanks
dc8c34
dc8c34
(cherry picked from commit 39f44c5af958011cdffc699d26d0e481ec0dbcb6)
dc8c34
---
dc8c34
 ldap/servers/plugins/deref/deref.c | 46 +++++++++++++++++++-------------------
dc8c34
 1 file changed, 23 insertions(+), 23 deletions(-)
dc8c34
dc8c34
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
dc8c34
index c6630df..50295b9 100644
dc8c34
--- a/ldap/servers/plugins/deref/deref.c
dc8c34
+++ b/ldap/servers/plugins/deref/deref.c
dc8c34
@@ -589,13 +589,14 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
dc8c34
     slapi_vattr_values_free(results, actual_type_name, buffer_flags);
dc8c34
 }
dc8c34
 
dc8c34
-static void
dc8c34
-deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char **attrs)
dc8c34
+static int
dc8c34
+deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
dc8c34
 {
dc8c34
     char **retattrs = NULL;
dc8c34
     Slapi_PBlock *derefpb = NULL;
dc8c34
     Slapi_Entry **entries = NULL;
dc8c34
     int rc;
dc8c34
+    int needcontrol = 0;
dc8c34
 
dc8c34
 /*  If the access check on the attributes is done without retrieveing the entry
dc8c34
  *  it cannot handle acis which need teh entry, eg to apply a targetfilter rule
dc8c34
@@ -624,7 +625,9 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
dc8c34
                     slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
dc8c34
                              "The client does not have permission to read the requested "
dc8c34
                              "attributes in entry %s\n", derefdn);
dc8c34
-           } else {
dc8c34
+                } else {
dc8c34
+		    needcontrol = 1;
dc8c34
+                    ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
dc8c34
                     for (ii = 0; retattrs[ii]; ++ii) {
dc8c34
                         Slapi_Value *sv;
dc8c34
                         int idx = 0;
dc8c34
@@ -681,6 +684,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
dc8c34
                     if (needattrvals == 0) {
dc8c34
                         ber_printf(ctrlber, "}");
dc8c34
                     }
dc8c34
+                    ber_printf(ctrlber, "}"); /* end DerefRes */
dc8c34
                 }
dc8c34
             }
dc8c34
         } else { /* nothing */
dc8c34
@@ -697,7 +701,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
dc8c34
     slapi_pblock_destroy(derefpb);
dc8c34
     slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
dc8c34
 
dc8c34
-    return;
dc8c34
+    return needcontrol;
dc8c34
 }
dc8c34
 
dc8c34
 static int
dc8c34
@@ -711,6 +715,7 @@ deref_pre_entry(Slapi_PBlock *pb)
dc8c34
     LDAPControl *ctrl = NULL;
dc8c34
     const LDAPControl **searchctrls = NULL;
dc8c34
     LDAPControl **newsearchctrls = NULL;
dc8c34
+    int needcontrol = 0;
dc8c34
 
dc8c34
     if (!speclist) {
dc8c34
         return 0; /* nothing to do */
dc8c34
@@ -754,31 +759,26 @@ deref_pre_entry(Slapi_PBlock *pb)
dc8c34
         for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
dc8c34
             const char *derefdn = slapi_value_get_string(sv);
dc8c34
 
dc8c34
-            ber_printf(ctrlber, "{ss", spec->derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
dc8c34
-            deref_do_deref_attr(pb, ctrlber, derefdn, (const char **)spec->attrs);
dc8c34
-            ber_printf(ctrlber, "}"); /* end DerefRes */
dc8c34
+            needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr,  (const char **)spec->attrs);
dc8c34
         }
dc8c34
         deref_values_free(&results, &actual_type_name, buffer_flags);
dc8c34
     }
dc8c34
 
dc8c34
     ber_printf(ctrlber, "}"); /* end control val */
dc8c34
-
dc8c34
-    slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
dc8c34
-
dc8c34
-    ber_free(ctrlber, 1);
dc8c34
-
dc8c34
-    /* get the list of controls */
dc8c34
+ 
dc8c34
+    if (needcontrol) {
dc8c34
+        slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
dc8c34
+        /* get the list of controls */
dc8c34
 	slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
dc8c34
-
dc8c34
-    /* dup them */
dc8c34
-    slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
dc8c34
-
dc8c34
-    /* add our control */
dc8c34
-    slapi_add_control_ext(&newsearchctrls, ctrl, 0);
dc8c34
-    ctrl = NULL; /* newsearchctrls owns it now */
dc8c34
-
dc8c34
-    /* set the controls in the pblock */
dc8c34
-    slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
dc8c34
+        /* dup them */
dc8c34
+        slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
dc8c34
+        /* add our control */
dc8c34
+        slapi_add_control_ext(&newsearchctrls, ctrl, 0);
dc8c34
+        ctrl = NULL; /* newsearchctrls owns it now */
dc8c34
+        /* set the controls in the pblock */
dc8c34
+        slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
dc8c34
+    }
dc8c34
+    ber_free(ctrlber, 1);
dc8c34
 
dc8c34
     return 0;
dc8c34
 }
dc8c34
-- 
dc8c34
1.9.3
dc8c34