From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mon, 2 Dec 2013 17:13:55 -0500 Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms Bug Description: Invalid values could be specified in the allowed sasl mechanisms configuration attribute. These values are directly passed to the sasl library. Fix Description: Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters, digits, hyphens, or underscores. https://fedorahosted.org/389/ticket/47614 Reviewed by: richm(Thanks!) (cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132) (cherry picked from commit f00321f892545d59e07c1a944936153660640e47) --- ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index b925a2c..a763135 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value, static int config_set_schemareplace ( const char *attrname, char *value, char *errorbuf, int apply ); static void remove_commas(char *str); +static int invalid_sasl_mech(char *str); /* Keeping the initial values */ /* CONFIG_INT/CONFIG_LONG */ @@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, /* cyrus sasl doesn't like comma separated lists */ remove_commas(value); + if(invalid_sasl_mech(value)){ + LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s). Use ASCII " + "characters, upto 20 characters, that are upper-case letters, " + "digits, hyphens, or underscores\n", value, 0, 0); + return LDAP_UNWILLING_TO_PERFORM; + } + CFG_LOCK_WRITE(slapdFrontendConfig); slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); CFG_UNLOCK_WRITE(slapdFrontendConfig); @@ -7452,3 +7460,55 @@ remove_commas(char *str) } } } + +/* + * Check the SASL mechanism values + * + * As per RFC 4422: + * SASL mechanisms are named by character strings, from 1 to 20 + * characters in length, consisting of ASCII [ASCII] uppercase letters, + * digits, hyphens, and/or underscores. + */ +static int +invalid_sasl_mech(char *str) +{ + char *mech = NULL, *token = NULL, *next = NULL; + int i; + + if(str == NULL){ + return 0; + } + + /* + * Check the length for each mechanism + */ + token = slapi_ch_strdup(str); + for (mech = ldap_utf8strtok_r(token, " ", &next); mech; + mech = ldap_utf8strtok_r(NULL, " ", &next)) + { + if(strlen(mech) == 0 || strlen(mech) > 20){ + /* invalid length */ + slapi_ch_free_string(&token); + return 1; + } + } + slapi_ch_free_string(&token); + + /* + * Check the individual characters + */ + for (i = 0; str[i]; i++){ + if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */ + ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */ + (int)str[i] != 32 && /* not a space (between mechanisms) */ + (int)str[i] != 45 && /* not a hyphen */ + (int)str[i] != 95 ) /* not an underscore */ + { + /* invalid character */ + return 1; + } + } + + /* Mechanism value is valid */ + return 0; +} -- 1.8.1.4