upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-21 23:29:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#9251 make max filter depth configurable

Browse source
This commit is contained in:
Howard Chu 2021-03-22 17:31:13 +00:00
parent da57548e52
commit f1ebb45695
7 changed files with 18 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/man/man5/slapd-config.5
View file

@ -689,6 +689,10 @@ This level should usually also be included when using other loglevels, to
help analyze the logs. help analyze the logs.
.RE .RE
.TP .TP
.B olcMaxFilterDepth: <integer>
Specify the maximum depth of nested filters in search requests.
The default is 1000.
.TP
.B olcPasswordCryptSaltFormat: <format> .B olcPasswordCryptSaltFormat: <format>
Specify the format of the salt passed to Specify the format of the salt passed to
.BR crypt (3) .BR crypt (3)

4
doc/man/man5/slapd.conf.5
View file

@ -743,6 +743,10 @@ This level should usually also be included when using other loglevels, to
help analyze the logs. help analyze the logs.
.RE .RE
.TP .TP
.B maxfilterdepth <integer>
Specify the maximum depth of nested filters in search requests.
The default is 1000.
.TP
.B moduleload <filename> .B moduleload <filename>
Specify the name of a dynamically loadable module to load. The filename Specify the name of a dynamically loadable module to load. The filename
may be an absolute path name or a simple filename. Non-absolute names may be an absolute path name or a simple filename. Non-absolute names

5
servers/slapd/bconfig.c
View file

@ -480,6 +480,10 @@ static ConfigTable config_back_cf_table[] = {
&config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' " &config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' "
"EQUALITY integerMatch " "EQUALITY integerMatch "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ "maxFilterDepth", "depth", 2, 2, 0, ARG_INT,
&slap_max_filter_depth, "( OLcfgGlAt:101 NAME 'olcMaxFilterDepth' "
"EQUALITY integerMatch "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER, { "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER,
&config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) " &config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) "
"EQUALITY booleanMatch " "EQUALITY booleanMatch "
@ -952,6 +956,7 @@ static ConfigOCs cf_ocs[] = {
"olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ " "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ "
"olcIndexIntLen $ " "olcIndexIntLen $ "
"olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ " "olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ "
"olcMaxFilterDepth $ "
"olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ " "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ "
"olcPluginLogFile $ olcReadOnly $ olcReferral $ " "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
"olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "

2
servers/slapd/config.c
View file

@ -84,6 +84,8 @@ ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH;
int slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT; int slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT;
int slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH; int slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH;
int slap_max_filter_depth = SLAP_MAX_FILTER_DEPTH_DEFAULT;
char *slapd_pid_file = NULL; char *slapd_pid_file = NULL;
char *slapd_args_file = NULL; char *slapd_args_file = NULL;

6
servers/slapd/filter.c
View file

@ -37,10 +37,6 @@
const Filter *slap_filter_objectClass_pres; const Filter *slap_filter_objectClass_pres;
const struct berval *slap_filterstr_objectClass_pres; const struct berval *slap_filterstr_objectClass_pres;
#ifndef SLAPD_MAX_FILTER_DEPTH
#define SLAPD_MAX_FILTER_DEPTH 5000
#endif
static int get_filter_list( static int get_filter_list(
Operation *op, Operation *op,
BerElement *ber, BerElement *ber,
@ -132,7 +128,7 @@ get_filter0(
* *
*/ */
if( depth > SLAPD_MAX_FILTER_DEPTH ) { if( depth > slap_max_filter_depth ) {
*text = "filter nested too deeply"; *text = "filter nested too deeply";
return SLAPD_DISCONNECT; return SLAPD_DISCONNECT;
} }

1
servers/slapd/proto-slap.h
View file

@ -2067,6 +2067,7 @@ LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming;
LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth; LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth;
LDAP_SLAPD_V (int) slap_conn_max_pending; LDAP_SLAPD_V (int) slap_conn_max_pending;
LDAP_SLAPD_V (int) slap_conn_max_pending_auth; LDAP_SLAPD_V (int) slap_conn_max_pending_auth;
LDAP_SLAPD_V (int) slap_max_filter_depth;
LDAP_SLAPD_V (slap_mask_t) global_allows; LDAP_SLAPD_V (slap_mask_t) global_allows;
LDAP_SLAPD_V (slap_mask_t) global_disallows; LDAP_SLAPD_V (slap_mask_t) global_disallows;

1
servers/slapd/slap.h
View file

@ -143,6 +143,7 @@ LDAP_BEGIN_DECL
#define SLAP_CONN_MAX_PENDING_DEFAULT 100 #define SLAP_CONN_MAX_PENDING_DEFAULT 100
#define SLAP_CONN_MAX_PENDING_AUTH 1000 #define SLAP_CONN_MAX_PENDING_AUTH 1000
#define SLAP_MAX_FILTER_DEPTH_DEFAULT 1000
#define SLAP_TEXT_BUFLEN (256) #define SLAP_TEXT_BUFLEN (256)