upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-22 15:49:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#10139 back-config: Honour disclose in matchedDN handling

Browse source
This commit is contained in:
Ondřej Kuzník 2024-01-25 12:50:34 +00:00 committed by Quanah Gibson-Mount
parent 9fa4626497
commit f5fcbb428c
1 changed files with 22 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
servers/slapd/bconfig.c
View file

@ -4143,7 +4143,8 @@ config_tls_config(ConfigArgs *c) {
#endif #endif
static CfEntryInfo * static CfEntryInfo *
config_find_base( CfEntryInfo *root, struct berval *dn, CfEntryInfo **last ) config_find_base( CfEntryInfo *root, struct berval *dn, CfEntryInfo **last,
Operation *op )
{ {
struct berval cdn; struct berval cdn;
char *c; char *c;
@ -4160,7 +4161,14 @@ config_find_base( CfEntryInfo *root, struct berval *dn, CfEntryInfo **last )
for (;*c != ',';c--); for (;*c != ',';c--);
while(root) { while(root) {
if ( !op || access_allowed( op, root->ce_entry,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) {
/*
* ITS#10139: Only record the lowermost entry that the user has
* disclose access to
*/
*last = root; *last = root;
}
for (--c;c>dn->bv_val && *c != ',';c--); for (--c;c>dn->bv_val && *c != ',';c--);
cdn.bv_val = c; cdn.bv_val = c;
if ( *c == ',' ) if ( *c == ',' )
@ -5281,7 +5289,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
* Databases and Overlays to be inserted. Don't do any * Databases and Overlays to be inserted. Don't do any
* auto-renumbering if manageDSAit control is present. * auto-renumbering if manageDSAit control is present.
*/ */
ce = config_find_base( cfb->cb_root, &e->e_nname, &last ); ce = config_find_base( cfb->cb_root, &e->e_nname, &last, op );
if ( ce ) { if ( ce ) {
if ( ( op && op->o_managedsait ) || if ( ( op && op->o_managedsait ) ||
( ce->ce_type != Cft_Database && ce->ce_type != Cft_Overlay && ( ce->ce_type != Cft_Database && ce->ce_type != Cft_Overlay &&
@ -5302,14 +5310,14 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
/* If last is NULL, the new entry is the root/suffix entry, /* If last is NULL, the new entry is the root/suffix entry,
* otherwise last should be the parent. * otherwise last should be the parent.
*/ */
if ( last && !dn_match( &last->ce_entry->e_nname, &pdn ) ) { if ( cfb->cb_root && ( !last || !dn_match( &last->ce_entry->e_nname, &pdn ) ) ) {
if ( rs ) { if ( last && rs ) {
rs->sr_matched = last->ce_entry->e_name.bv_val; rs->sr_matched = last->ce_entry->e_name.bv_val;
} }
Debug( LDAP_DEBUG_TRACE, "%s: config_add_internal: " Debug( LDAP_DEBUG_TRACE, "%s: config_add_internal: "
"DN=\"%s\" not child of DN=\"%s\"\n", "DN=\"%s\" not child of DN=\"%s\"\n",
log_prefix, e->e_name.bv_val, log_prefix, e->e_name.bv_val,
last->ce_entry->e_name.bv_val ); last ? last->ce_entry->e_name.bv_val : "" );
return LDAP_NO_SUCH_OBJECT; return LDAP_NO_SUCH_OBJECT;
} }
@ -6281,7 +6289,7 @@ config_back_modify( Operation *op, SlapReply *rs )
cfb = (CfBackInfo *)op->o_bd->be_private; cfb = (CfBackInfo *)op->o_bd->be_private;
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
if ( !ce ) { if ( !ce ) {
if ( last ) if ( last )
rs->sr_matched = last->ce_entry->e_name.bv_val; rs->sr_matched = last->ce_entry->e_name.bv_val;
@ -6429,7 +6437,7 @@ config_back_modrdn( Operation *op, SlapReply *rs )
cfb = (CfBackInfo *)op->o_bd->be_private; cfb = (CfBackInfo *)op->o_bd->be_private;
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
if ( !ce ) { if ( !ce ) {
if ( last ) if ( last )
rs->sr_matched = last->ce_entry->e_name.bv_val; rs->sr_matched = last->ce_entry->e_name.bv_val;
@ -6731,7 +6739,7 @@ config_back_delete( Operation *op, SlapReply *rs )
cfb = (CfBackInfo *)op->o_bd->be_private; cfb = (CfBackInfo *)op->o_bd->be_private;
/* If we have a backend, it will handle the control */ /* If we have a backend, it will handle the control */
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
if ( ce && !cfb->cb_use_ldif && op->o_preread ) { if ( ce && !cfb->cb_use_ldif && op->o_preread ) {
if ( preread_ctrl == NULL ) { if ( preread_ctrl == NULL ) {
preread_ctrl = &ctrls[num_ctrls++]; preread_ctrl = &ctrls[num_ctrls++];
@ -6904,7 +6912,7 @@ config_back_search( Operation *op, SlapReply *rs )
cfb = (CfBackInfo *)op->o_bd->be_private; cfb = (CfBackInfo *)op->o_bd->be_private;
ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock ); ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last, op );
if ( !ce ) { if ( !ce ) {
if ( last ) if ( last )
rs->sr_matched = last->ce_entry->e_name.bv_val; rs->sr_matched = last->ce_entry->e_name.bv_val;
@ -6992,7 +7000,7 @@ int config_back_entry_get(
if ( !paused ) { if ( !paused ) {
ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock ); ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
} }
ce = config_find_base( cfb->cb_root, ndn, &last ); ce = config_find_base( cfb->cb_root, ndn, &last, op );
if ( ce ) { if ( ce ) {
e = ce->ce_entry; e = ce->ce_entry;
if ( e ) { if ( e ) {
@ -7299,7 +7307,7 @@ config_check_schema(Operation *op, CfBackInfo *cfb)
return 0; return 0;
/* Make sure the main schema entry exists */ /* Make sure the main schema entry exists */
ce = config_find_base( cfb->cb_root, &schema_dn, &last ); ce = config_find_base( cfb->cb_root, &schema_dn, &last, op );
if ( ce ) { if ( ce ) {
Attribute *a; Attribute *a;
struct berval *bv; struct berval *bv;
@ -8001,7 +8009,7 @@ config_tool_entry_modify( BackendDB *be, Entry *e, struct berval *text )
BackendInfo *bi = cfb->cb_db.bd_info; BackendInfo *bi = cfb->cb_db.bd_info;
CfEntryInfo *ce, *last; CfEntryInfo *ce, *last;
ce = config_find_base( cfb->cb_root, &e->e_nname, &last ); ce = config_find_base( cfb->cb_root, &e->e_nname, &last, NULL );
if ( ce && bi && bi->bi_tool_entry_modify ) if ( ce && bi && bi->bi_tool_entry_modify )
return bi->bi_tool_entry_modify( &cfb->cb_db, e, text ); return bi->bi_tool_entry_modify( &cfb->cb_db, e, text );
@ -8016,7 +8024,7 @@ config_tool_entry_delete( BackendDB *be, struct berval *ndn, struct berval *text
BackendInfo *bi = cfb->cb_db.bd_info; BackendInfo *bi = cfb->cb_db.bd_info;
CfEntryInfo *ce, *last; CfEntryInfo *ce, *last;
ce = config_find_base( cfb->cb_root, ndn, &last ); ce = config_find_base( cfb->cb_root, ndn, &last, NULL );
if ( ce && bi && bi->bi_tool_entry_delete ) if ( ce && bi && bi->bi_tool_entry_delete )
return bi->bi_tool_entry_delete( &cfb->cb_db, ndn, text ); return bi->bi_tool_entry_delete( &cfb->cb_db, ndn, text );