From b4dddacb9aed0a44f8cb8a05213f3c9ffa9b77e1 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Jun 21 2012 02:15:51 +0000 Subject: Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213 Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3] https://bugzilla.redhat.com/show_bug.cgi?id=830001 Bug Description: Deref still retrieved unhashed password. Fix Description: Added code to Deref plugin to check the deref attribute. If it is unhashed password, skip it. (cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea) (cherry picked from commit 9e15a73380e32947f08e2d8cc3bce87f467fab80) --- diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c index fb6a54a..d97dc0a 100644 --- a/ldap/servers/plugins/deref/deref.c +++ b/ldap/servers/plugins/deref/deref.c @@ -632,6 +632,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, int needpartialattr = 1; /* need PartialAttribute sequence? */ int needvalsset = 1; + if (is_type_forbidden(retattrs[ii])) { + slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, + "skip forbidden attribute [%s]\n", derefdn); + continue; + } + deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition, &actual_type_name, flags, &buffer_flags); diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index c3ebd79..1b62c13 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -639,7 +639,7 @@ int is_rootdse( const char *dn ); int get_entry_object_type(); int entry_computed_attr_init(); void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral); - +int is_type_forbidden(const char *type); /* * dse.c diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index 2f0afc7..75f8e8f 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a); /* entry.c */ int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods ); int is_type_protected(const char *type); -int is_type_forbidden(const char *type); int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);