firstyear / 389-ds-base

Forked from 389-ds-base 2 years ago
Clone

43f7b99 Ticket 50349 - filter schema validation

Authored and Committed by firstyear 17 days ago
    Ticket 50349 - filter schema validation
    
    Bug Description: 389 Should assert that all attributes in a filter
    are present and valid in schema. If there are attributes in a filter
    that are not in schema, this can lead to DOS due to fall-back to
    un-indexed scans, and it also can mask and cover-up application and
    development issues with queries. For example, the referenced case was
    caused by IPA mistakenly searching an attribute that can never be
    satisfied by ACI/filter. If we warned or rejected filters in this case
    we would have quickly communicated to the developer that they had caused
    a mistake - feedback, being a vital component of psychology and usability
    theory.
    
    This should optionally be allowed to be disabled, due to some sites that
    use things like extensibleObject that by nature, bypass and violate schema
    checks.
    
    Fix Description: We now have a configuration item that has three levels:
    off, warn, on. The idea is that with "on" we'll reject the filter and
    won't execute it. "warn", we evaluate the filter, but we map invalid
    attributes empty IDL. And "off" we have the "previous" behiavour. We
    default to "warn" which is the rfc compliant behaviour.
    
    https://pagure.io/389-ds-base/issue/50349
    
    Author: William Brown <william@blackhats.net.au>
    
    Review by: tbordaz, lkrispen (Thanks!)
    
        
file modified
+1 -0
file modified
+5 -1
empty file added
file modified
+6 -3
file modified
+117 -2
file modified
+22 -0
file modified
+66 -13
file modified
+88 -0
file modified
+14 -0
file modified
+15 -0
file modified
+2 -0
file modified
+40 -13
file modified
+2 -0
file modified
+4 -0