From 16564ca6c52efa99434d673100b59bb71ce1da4a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 21 Apr 2026 18:02:51 +0000
Subject: [PATCH] ITS#10478 autoca: reject commas in email/ipaddr

---
 servers/slapd/overlays/autoca.c | 50 +++++++++++++++++++++++++++------
 tests/scripts/test066-autoca    |  1 +
 2 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/servers/slapd/overlays/autoca.c b/servers/slapd/overlays/autoca.c
index cd616bb0b3..43761655d2 100644
--- a/servers/slapd/overlays/autoca.c
+++ b/servers/slapd/overlays/autoca.c
@@ -803,6 +803,40 @@ static ConfigOCs autoca_ocs[] = {
 	{ NULL, 0, NULL }
 };
 
+static int
+autoca_set_extras(
+	Operation *op,
+	Attribute *a,
+	struct berval *tag,
+	myext *extras
+)
+{
+	char *ptr;
+	int i;
+	int len = 0;
+	for ( i=0; i<a->a_numvals; i++ ) {
+		if (strchr(a->a_vals[i].bv_val, ',')) {
+			Debug( LDAP_DEBUG_TRACE, "autoca_set_extras: illegal characters in %s\n",
+				a->a_desc->ad_cname.bv_val );
+			return SLAP_CB_CONTINUE;
+		}
+		len += a->a_vals[i].bv_len;
+	}
+	len += ( tag->bv_len+1 ) * a->a_numvals;
+
+	extras[0].name = "subjectAltName";
+	extras[1].name = NULL;
+	extras[0].value = op->o_tmpalloc( len, op->o_tmpmemctx );
+	ptr = extras[0].value;
+	for ( i=0; i<a->a_numvals; i++ ) {
+		if ( i )
+			*ptr++ = ',';
+		ptr = lutil_strcopy( ptr, tag->bv_val );
+		ptr = lutil_strcopy( ptr, a->a_vals[i].bv_val );
+	}
+	return 0;
+}
+
 static int
 autoca_op_response(
 	Operation *op,
@@ -849,10 +883,10 @@ autoca_op_response(
 			a = attr_find( rs->sr_entry->e_attrs, ad_mail );
 			if ( a )
 			{
-				extras[0].name = "subjectAltName";
-				extras[1].name = NULL;
-				extras[0].value = op->o_tmpalloc( sizeof("email:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
-				sprintf(extras[0].value, "email:%s", a->a_vals[0].bv_val);
+				struct berval bv = BER_BVC("email:");
+				rc = autoca_set_extras( op, a, &bv, extras );
+				if ( rc )
+					return rc;
 				args.more_exts = extras;
 			}
 		} else
@@ -862,10 +896,10 @@ autoca_op_response(
 			args.days = ai->ai_srvdays;
 			if ( ad_ipaddr && (a = attr_find( rs->sr_entry->e_attrs, ad_ipaddr )))
 			{
-				extras[0].name = "subjectAltName";
-				extras[1].name = NULL;
-				extras[0].value = op->o_tmpalloc( sizeof("IP:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
-				sprintf(extras[0].value, "IP:%s", a->a_vals[0].bv_val);
+				struct berval bv = BER_BVC("IP:");
+				rc = autoca_set_extras( op, a, &bv, extras );
+				if ( rc )
+					return rc;
 				args.more_exts = extras;
 			}
 		}
diff --git a/tests/scripts/test066-autoca b/tests/scripts/test066-autoca
index b9773ea944..e254b1f307 100755
--- a/tests/scripts/test066-autoca
+++ b/tests/scripts/test066-autoca
@@ -174,6 +174,7 @@ objectClass: device
 objectClass: ipHost
 cn: localhost
 ipHostNumber: 127.0.0.1
+ipHostNumber: ::1
 
 dn: cn=www.example.com,ou=Servers,$BASEDN
 objectClass: device