#448 Possible to set invalid macros in Macro ACIs
Closed: wontfix None Opened 11 years ago by nhosoi.

https://bugzilla.redhat.com/show_bug.cgi?id=853931 (Red Hat Enterprise Linux 6)

Description of problem:

Macros are placeholders that are used to represent a DN, or a portion of a DN,
in an ACI. These placeholders now seem to be checked for syntax incorrectly,
allowing to set aci with invalid syntax.

Version-Release number of selected component (if applicable):
all? (tested with 389-ds-base-1.2.10.2-15.el6.x86_64 and
389-ds-base-1.2.11.7-2.el6.x86_64)

How reproducible:
always

Steps to Reproduce:

ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager <<EOF
dn: dc=redhat,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=redhat,dc=com")(version 3.0; acl "Wrong_ACI"; allow
(all) userdn="ldap:///($attribute.description),dc=redhat,dc=com";)
EOF

modifying entry "dc=redhat,dc=com"

[jrusnack@dhcp-31-42 /]$ echo $?
0

Actual results: succeeds


Expected results: should fail with RC 21 LDAP_INVALID_SYNTAX


Additional info: Already automated in acl/macro-acis

Bug description: Syntax checking code in acl did not check the
macro syntax. Thus, invalide macro such as ($bogus.description)
could have been unexpectedly added.

Fix description: This patch adds the checking code: If acl contains
a keyword starting with "($" or "[$", only one of "($dn)", "[$dn]",
or "($attr." is allowed.

Reviewed by Rich (Thank you!!)

Pushed to master.
{{{
$ git merge trac448
Updating 47c0d96..caf2feb
Fast-forward
ldap/servers/plugins/acl/aclparse.c | 74 +++++++++++++++++++++--------------
1 files changed, 45 insertions(+), 29 deletions(-)
$ git push origin master
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.42 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
47c0d96..caf2feb master -> master
}}}

Metadata Update from @nhosoi:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.3.0.rc1

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/448

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata