https://bugzilla.redhat.com/show_bug.cgi?id=853931 (Red Hat Enterprise Linux 6)
Description of problem: Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. These placeholders now seem to be checked for syntax incorrectly, allowing to set aci with invalid syntax. Version-Release number of selected component (if applicable): all? (tested with 389-ds-base-1.2.10.2-15.el6.x86_64 and 389-ds-base-1.2.11.7-2.el6.x86_64) How reproducible: always Steps to Reproduce: ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager <<EOF dn: dc=redhat,dc=com changetype: modify add: aci aci: (target="ldap:///dc=redhat,dc=com")(version 3.0; acl "Wrong_ACI"; allow (all) userdn="ldap:///($attribute.description),dc=redhat,dc=com";) EOF modifying entry "dc=redhat,dc=com" [jrusnack@dhcp-31-42 /]$ echo $? 0 Actual results: succeeds Expected results: should fail with RC 21 LDAP_INVALID_SYNTAX Additional info: Already automated in acl/macro-acis
git patch file (master) 0001-Trac-Ticket-448-Possible-to-set-invalid-macros-in-Ma.patch
Bug description: Syntax checking code in acl did not check the macro syntax. Thus, invalide macro such as ($bogus.description) could have been unexpectedly added.
Fix description: This patch adds the checking code: If acl contains a keyword starting with "($" or "[$", only one of "($dn)", "[$dn]", or "($attr." is allowed.
Reviewed by Rich (Thank you!!)
Pushed to master. {{{ $ git merge trac448 Updating 47c0d96..caf2feb Fast-forward ldap/servers/plugins/acl/aclparse.c | 74 +++++++++++++++++++++-------------- 1 files changed, 45 insertions(+), 29 deletions(-) $ git push origin master Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.42 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 47c0d96..caf2feb master -> master }}}
Metadata Update from @nhosoi: - Issue assigned to rmeggins - Issue set to the milestone: 1.3.0.rc1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/448
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.