From abc9ff876209819c8f0dd7e799f1ab6a1b084fe5 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Mon, 20 Mar 2017 15:08:45 -0400

Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly

 case sensitive

Description:  When processing an aci that uses a wildcard targetattr, the

              comparision should be done using case insensitive functions.

https://pagure.io/389-ds-base/issue/49095

Reviewed by: firstyear(Thanks!)

---

 dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++

 ldap/servers/plugins/acl/acl.c                | 10 ++--

 2 files changed, 90 insertions(+), 5 deletions(-)

 create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py

diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py

new file mode 100644

index 0000000..04f92b2

--- /dev/null

+++ b/dirsrvtests/tests/tickets/ticket49095_test.py

@@ -0,0 +1,85 @@

+import time

+import ldap

+import logging

+import pytest

+from lib389 import DirSrv, Entry, tools, tasks

+from lib389.tools import DirSrvTools

+from lib389._constants import *

+from lib389.properties import *

+from lib389.tasks import *

+from lib389.utils import *

+from lib389.topologies import topology_st as topo

+

+DEBUGGING = os.getenv("DEBUGGING", default=False)

+if DEBUGGING:

+    logging.getLogger(__name__).setLevel(logging.DEBUG)

+else:

+    logging.getLogger(__name__).setLevel(logging.INFO)

+log = logging.getLogger(__name__)

+

+USER_DN = 'uid=testuser,dc=example,dc=com'

+acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',

+        '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',

+        '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',

+        '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']

+

+

+def test_ticket49095(topo):

+    """Check that target attrbiutes with wildcards are case insensitive

+    """

+

+    # Add an entry

+    try:

+        topo.standalone.add_s(Entry((USER_DN, {

+            'objectclass': 'top extensibleObject'.split(),

+            'uid': 'testuser',

+            'telephonenumber': '555-555-5555'

+        })))

+    except ldap.LDAPError as e:

+            log.fatal('Failed to add test user: ' + e.message['desc'])

+            assert False

+

+    for aci in acis:

+        # Add ACI

+        try:

+            topo.standalone.modify_s(DEFAULT_SUFFIX,

+                          [(ldap.MOD_REPLACE, 'aci', aci)])

+

+        except ldap.LDAPError as e:

+            log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])

+            assert False

+

+        # Set Anonymous Bind to test aci

+        try:

+            topo.standalone.simple_bind_s("", "")

+        except ldap.LDAPError as e:

+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])

+            assert False

+

+        # Search for entry - should not get any results

+        try:

+            entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,

+                                             'telephonenumber=*')

+            if entry:

+                log.fatal('The entry was incorrectly returned')

+                assert False

+        except ldap.LDAPError as e:

+            log.fatal('Failed to search anonymously: ' + e.message['desc'])

+            assert False

+

+        # Set root DN Bind so we can update aci's

+        try:

+            topo.standalone.simple_bind_s(DN_DM, PASSWORD)

+        except ldap.LDAPError as e:

+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])

+            assert False

+

+    log.info("Test Passed")

+

+

+if __name__ == '__main__':

+    # Run isolated

+    # -s for DEBUG mode

+    CURRENT_FILE = os.path.realpath(__file__)

+    pytest.main("-s %s" % CURRENT_FILE)

+

diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c

index 0a93808..48b8efc 100644

--- a/ldap/servers/plugins/acl/acl.c

+++ b/ldap/servers/plugins/acl/acl.c

@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)

 	}

 	/* this assumes that str and the filter components are already

-	 * normalized. If not, it shoul be done

+	 * normalized. If not, it should be done

 	 */

 	if ( initial != NULL) {

 		len = strlen(initial);

 		if (exact_match) {

-			int rc = strncmp(p, initial, len);

+			int rc = strncasecmp(p, initial, len);

 			if (rc) {

 				return ACL_FALSE;

 			} else {

 				p += len;

 			}  

 		} else {

-			p = strstr(p, initial);

+			p = strcasestr(p, initial);

 			if (p) {

 				p += len;

 			} else {

@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)

 	if ( any != NULL) {

 		for (i = 0;  any && any[i] != NULL; i++) {

-			p = strstr(p, any[i]);

+			p = strcasestr(p, any[i]);

 			if (p) {

 				p += strlen(any[i]);

 			} else {

@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)

 		len = strlen(final);

 		tlen = strlen(p);

 		if (len > tlen) return ACL_FALSE;

-		if (strcmp(p+tlen-len, final)) return ACL_FALSE;

+		if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;

 	}

 	return ACL_TRUE;

-- 

2.9.3