From 5c2848665791adf25f884fe942f310392fd88162 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Mon, 28 Jul 2014 09:42:43 -0700 Subject: [PATCH 242/243] Bug 1123477 - unauthenticated information disclosure Fix Description: nscpentrywsi is returned only authenticated as root. The bug was fixed by lkrispen@redhat.com (Ludwig Krispenz). His patch was modified based upon this review comment. https://bugzilla.redhat.com/show_bug.cgi?id=1123477#c2 https://bugzilla.redhat.com/show_bug.cgi?id=1123861 (cherry picked from commit aa90e26d5c4ea47b2a4a22f99cf0742cf48b3fae) (cherry picked from commit 394277fdcef70078b54a280de88ab06dd289cc7a) (cherry picked from commit fbb9bf0b37fdaec0856b9c78373a0fb1fa07a1dd) --- ldap/servers/slapd/computed.c | 17 +++++++++++++++-- ldap/servers/slapd/entrywsi.c | 2 +- ldap/servers/slapd/slapi-plugin.h | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/ldap/servers/slapd/computed.c b/ldap/servers/slapd/computed.c index 7c99b45..7a80c96 100644 --- a/ldap/servers/slapd/computed.c +++ b/ldap/servers/slapd/computed.c @@ -59,6 +59,7 @@ struct _computed_attr_context { struct _compute_evaluator { struct _compute_evaluator *next; slapi_compute_callback_t function; + int rootonly; }; typedef struct _compute_evaluator compute_evaluator; @@ -95,6 +96,13 @@ int compute_call_evaluators_nolock(computed_attr_context *c,slapi_compute_output compute_evaluator *current = NULL; for (current = compute_evaluators; (current != NULL) && (-1 == rc); current = current->next) { + if (current->rootonly) { + int isroot; + slapi_pblock_get(c->pb, SLAPI_REQUESTOR_ISROOT, &isroot); + if (!isroot) { + continue; + } + } rc = (*(current->function))(c,type,e,outfn); } return rc; @@ -157,14 +165,19 @@ compute_stock_evaluator(computed_attr_context *c,char* type,Slapi_Entry *e,slapi } static void -compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval) +compute_add_evaluator_nolock(slapi_compute_callback_t function, compute_evaluator *new_eval, int rootonly) { new_eval->next = compute_evaluators; new_eval->function = function; + new_eval->rootonly = rootonly; compute_evaluators = new_eval; } int slapi_compute_add_evaluator(slapi_compute_callback_t function) { + return slapi_compute_add_evaluator_ext(function, 0); +} +int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly) +{ int rc = 0; compute_evaluator *new_eval = NULL; PR_ASSERT(NULL != function); @@ -187,7 +200,7 @@ int slapi_compute_add_evaluator(slapi_compute_callback_t function) slapi_rwlock_wrlock(compute_evaluators_lock); } - compute_add_evaluator_nolock(function, new_eval); + compute_add_evaluator_nolock(function, new_eval, rootonly); if (need_lock) { slapi_rwlock_unlock(compute_evaluators_lock); diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c index 8cee986..f184c7f 100644 --- a/ldap/servers/slapd/entrywsi.c +++ b/ldap/servers/slapd/entrywsi.c @@ -864,7 +864,7 @@ entry_compute_nscpentrywsi(computed_attr_context *c,char* type,Slapi_Entry *e,sl int entry_computed_attr_init() { - slapi_compute_add_evaluator(entry_compute_nscpentrywsi); + slapi_compute_add_evaluator_ext(entry_compute_nscpentrywsi, 1 /* root only */); return 0; } diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index c13a1a8..34962e2 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -6010,6 +6010,7 @@ typedef int (*slapi_compute_output_t)(computed_attr_context *c,Slapi_Attr *a , S typedef int (*slapi_compute_callback_t)(computed_attr_context *c,char* type,Slapi_Entry *e,slapi_compute_output_t outputfn); typedef int (*slapi_search_rewrite_callback_t)(Slapi_PBlock *pb); int slapi_compute_add_evaluator(slapi_compute_callback_t function); +int slapi_compute_add_evaluator_ext(slapi_compute_callback_t function, int rootonly); int slapi_compute_add_search_rewriter(slapi_search_rewrite_callback_t function); int compute_rewrite_search_filter(Slapi_PBlock *pb); -- 1.8.1.4