From fa6e0e564521beb809330992055d6ea647aa5a22 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) Date: Jul 01 2013 09:44:33 +0000 Subject: Directory_Server_8_2_Errata_Candidate_15105_20130701 1 fix: 979516 Bug 979516 - Directory Server: ACLs inoperative in some search scenarios Bug Description: ACI evaluation may grant inappropriate authorization in some search scenarios. This bug is rated as a moderate security issue. Fix Description: The fix consist to enforce appropriate authorization to all attributes. https://bugzilla.redhat.com/show_bug.cgi?id=979516 Reviewed by: Rich Meggison Branch: Directory_Server_8_2_Branch --- diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index 53da7f1..da61432 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -2099,7 +2099,11 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * * calculated from the targetdn and stored judiciously there */ matched_val = (char *)acl_ht_lookup( aclpb->aclpb_macro_ht, - (PLHashNumber)aci->aci_index); + (PLHashNumber)aci->aci_index); + } else { + /* new entry, remove macro evaluation from hash table */ + acl_ht_remove_and_free( aclpb->aclpb_macro_ht, + (PLHashNumber)aci->aci_index); } if ( matched_val == NULL && (aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS))) { diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index e3dda08..f82b7a6 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -930,6 +930,7 @@ int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t sl /* acl hash table functions */ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value); +void acl_ht_remove_and_free(acl_ht_t * acl_ht, PLHashNumber key); acl_ht_t *acl_ht_new(void); void acl_ht_free_all_entries_and_values( acl_ht_t *acl_ht); void acl_ht_remove( acl_ht_t *acl_ht, PLHashNumber key); diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c index c0b8f57..9c81771 100644 --- a/ldap/servers/plugins/acl/aclutil.c +++ b/ldap/servers/plugins/acl/aclutil.c @@ -1387,6 +1387,17 @@ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PL_HashTableAdd( acl_ht, (const void *)pkey, value); } +void acl_ht_remove_and_free(acl_ht_t * acl_ht, + PLHashNumber key){ + char *old_value = NULL; + uintptr_t pkey = (uintptr_t)key; + + if ( (old_value = (char *)acl_ht_lookup( acl_ht, key)) != NULL ) { + acl_ht_remove( acl_ht, key); + slapi_ch_free_string(&old_value); + } +} + /* * Return a new acl_ht_t * */ diff --git a/ldap/servers/slapd/filterentry.c b/ldap/servers/slapd/filterentry.c index d2c977e..7c99752 100644 --- a/ldap/servers/slapd/filterentry.c +++ b/ldap/servers/slapd/filterentry.c @@ -1034,8 +1034,11 @@ vattr_test_filter_list( for ( f = flist; f != NULL; f = f->f_next ) { if ( slapi_vattr_filter_test_ext_internal( pb, e, f, verify_access, only_check_access, access_check_done ) != 0 ) { /* optimize AND evaluation */ - if ( ftype == LDAP_FILTER_AND ) { - /* one false is failure */ + if ( ftype == LDAP_FILTER_AND || verify_access) { + /* one false is failure + * for AND all components need to match + * and for AND and OR access to ALL filter attributes is required + */ nomatch = 1; break; } @@ -1043,8 +1046,11 @@ vattr_test_filter_list( nomatch = 0; /* optimize OR evaluation too */ - if ( ftype == LDAP_FILTER_OR ) { - /* only one needs to be true */ + if ( ftype == LDAP_FILTER_OR && !verify_access) { + /* access to all atributes needs to be evaluated + * for filter matching + * only one needs to be true + */ break; } }