#448 Possible to set invalid macros in Macro ACIs
Closed: Fixed None Opened 7 years ago by nhosoi.

https://bugzilla.redhat.com/show_bug.cgi?id=853931 (Red Hat Enterprise Linux 6)

Description of problem:

Macros are placeholders that are used to represent a DN, or a portion of a DN,
in an ACI. These placeholders now seem to be checked for syntax incorrectly,
allowing to set aci with invalid syntax.

Version-Release number of selected component (if applicable):
all? (tested with 389-ds-base- and

How reproducible:

Steps to Reproduce:

ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager <<EOF
dn: dc=redhat,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=redhat,dc=com")(version 3.0; acl "Wrong_ACI"; allow
(all) userdn="ldap:///($attribute.description),dc=redhat,dc=com";)

modifying entry "dc=redhat,dc=com"

[jrusnack@dhcp-31-42 /]$ echo $?

Actual results: succeeds

Expected results: should fail with RC 21 LDAP_INVALID_SYNTAX

Additional info: Already automated in acl/macro-acis

Bug description: Syntax checking code in acl did not check the
macro syntax. Thus, invalide macro such as ($bogus.description)
could have been unexpectedly added.

Fix description: This patch adds the checking code: If acl contains
a keyword starting with "($" or "[$", only one of "($dn)", "[$dn]",
or "($attr." is allowed.

Reviewed by Rich (Thank you!!)

Pushed to master.
$ git merge trac448
Updating 47c0d96..caf2feb
ldap/servers/plugins/acl/aclparse.c | 74 +++++++++++++++++++++--------------
1 files changed, 45 insertions(+), 29 deletions(-)
$ git push origin master
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.42 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
47c0d96..caf2feb master -> master

Metadata Update from @nhosoi:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.3.0.rc1

3 years ago

Login to comment on this ticket.