From 7b39456f1df8e513acb4ad1da57c58531bf11b07 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Oct 10 2014 21:07:22 +0000 Subject: Ticket #47922 - dynamically added macro aci is not evaluated on the fly Bug Description: When macro aci is dynamically added and if the aci's macro target dn is not normalized, the following operation that requires the aci could fail with Insufficient access since matching the target dn and the macro target dn fails since the code expects normalized macro target dn. Fix Description: Before setting the macro target dn, process the dn by slapi_create_dn_string_case. https://fedorahosted.org/389/ticket/47922 Reviewed by lkrispen@redhat.com and rmeggins@redhat.com (Thank you, Ludwig and Rich!!) (cherry picked from commit 07c1bc25508a9c1e71dd8e717fd4ce455ddfeff0) (cherry picked from commit c6b397c8466fd0859c5404c946a82f240564076e) --- diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c index ccd387c..1bfe1d1 100644 --- a/ldap/servers/plugins/acl/aclparse.c +++ b/ldap/servers/plugins/acl/aclparse.c @@ -1748,9 +1748,9 @@ static int acl_check_for_target_macro( aci_t *aci_item, char *value) { - char *str = NULL; + char *str = NULL; - str = strstr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */); + str = PL_strcasestr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */); if (str != NULL) { char *p0 = NULL, *p1 = NULL; @@ -1770,10 +1770,17 @@ acl_check_for_target_macro( aci_t *aci_item, char *value) aci_item->aci_type &= ~ACI_TARGET_DN; aci_item->aci_type |= ACI_TARGET_MACRO_DN; aci_item->aci_macro = (aciMacro *)slapi_ch_malloc(sizeof(aciMacro)); - aci_item->aci_macro->match_this = slapi_ch_strdup(value); - aci_item->aci_macro->macro_ptr = strstr( aci_item->aci_macro->match_this, - ACL_TARGET_MACRO_DN_KEY); - return(1); + /* Macro dn needs to normalize. E.g., "ou=Groups, ($dN), dn=example,dn=com" */ + aci_item->aci_macro->match_this = slapi_create_dn_string_case("%s", value); + if (NULL == aci_item->aci_macro->match_this) { + slapi_log_error(SLAPI_LOG_FATAL, plugin_name, + "acl_check_for_target_macro: Error: Invalid macro target dn: \"%s\"\n", value); + aci_item->aci_type &= ~ACI_TARGET_MACRO_DN; + slapi_ch_free((void **)&aci_item->aci_macro); + return -1; + } + aci_item->aci_macro->macro_ptr = PL_strcasestr(aci_item->aci_macro->match_this, ACL_TARGET_MACRO_DN_KEY); + return(1); } return(0); diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c index 1b8bc12..e85836c 100644 --- a/ldap/servers/plugins/acl/aclutil.c +++ b/ldap/servers/plugins/acl/aclutil.c @@ -782,7 +782,7 @@ acl_match_macro_in_target( const char *ndn, char * match_this, macro_prefix = slapi_ch_strdup(match_this); /* we know it's got a $(dn) */ - tmp_ptr = strstr(macro_prefix, ACL_TARGET_MACRO_DN_KEY); + tmp_ptr = PL_strcasestr(macro_prefix, ACL_TARGET_MACRO_DN_KEY); if (!tmp_ptr) { LDAPDebug(LDAP_DEBUG_ACL,"acl_match_macro_in_target: " "Target macro DN key \"%s\" not found in \"%s\".\n",