[389-commits] Branch '389-ds-base-1.3.3' - ldap/servers

Ludwig Krispenz lkrispen at fedoraproject.org
Thu Sep 4 07:57:58 UTC 2014 

 ldap/servers/plugins/deref/deref.c |   46 ++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

New commits:
commit 9eae60a673279114f9dbb56a81cbf0f54e17d84a
Author: Ludwig Krispenz <lkrispen at redhat.com>
Date:   Wed Sep 3 13:44:17 2014 +0200

    Ticket 47885 - deref plugin should not return references with noc access rights
    
    Bug Description:  deref shows derefernced entries for which th client doesn't
                      have access as dn and empty attribute list
    
    Fix Description:   if client has no accesss to the derferernced entry then
                       omit it from the list in the deref control
                       In general, if no entries are returned don't send an empty control
    
    https://fedorahosted.org/389/ticket/47885
    
    Reviewed by: noriko, thanks

diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index f6588b0..96d42e6 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -591,13 +591,14 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
     slapi_vattr_values_free(results, actual_type_name, buffer_flags);
 }
 
-static void
-deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char **attrs)
+static int
+deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
 {
     char **retattrs = NULL;
     Slapi_PBlock *derefpb = NULL;
     Slapi_Entry **entries = NULL;
     int rc;
+    int needcontrol = 0;
 
 /*  If the access check on the attributes is done without retrieveing the entry
  *  it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -626,7 +627,9 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
                     slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
                              "The client does not have permission to read the requested "
                              "attributes in entry %s\n", derefdn);
-           } else {
+                } else {
+		    needcontrol = 1;
+                    ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
                     for (ii = 0; retattrs[ii]; ++ii) {
                         Slapi_Value *sv;
                         int idx = 0;
@@ -684,6 +687,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
                     if (needattrvals == 0) {
                         ber_printf(ctrlber, "}");
                     }
+                    ber_printf(ctrlber, "}"); /* end DerefRes */
                 }
             }
         } else { /* nothing */
@@ -700,7 +704,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
     slapi_pblock_destroy(derefpb);
     slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
 
-    return;
+    return needcontrol;
 }
 
 static int
@@ -714,6 +718,7 @@ deref_pre_entry(Slapi_PBlock *pb)
     LDAPControl *ctrl = NULL;
     const LDAPControl **searchctrls = NULL;
     LDAPControl **newsearchctrls = NULL;
+    int needcontrol = 0;
 
     if (!speclist) {
         return 0; /* nothing to do */
@@ -757,31 +762,26 @@ deref_pre_entry(Slapi_PBlock *pb)
         for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
             const char *derefdn = slapi_value_get_string(sv);
 
-            ber_printf(ctrlber, "{ss", spec->derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
-            deref_do_deref_attr(pb, ctrlber, derefdn, (const char **)spec->attrs);
-            ber_printf(ctrlber, "}"); /* end DerefRes */
+            needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr,  (const char **)spec->attrs);
         }
         deref_values_free(&results, &actual_type_name, buffer_flags);
     }
 
     ber_printf(ctrlber, "}"); /* end control val */
-
-    slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
-
-    ber_free(ctrlber, 1);
-
-    /* get the list of controls */
+ 
+    if (needcontrol) {
+        slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+        /* get the list of controls */
 	slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
-
-    /* dup them */
-    slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
-
-    /* add our control */
-    slapi_add_control_ext(&newsearchctrls, ctrl, 0);
-    ctrl = NULL; /* newsearchctrls owns it now */
-
-    /* set the controls in the pblock */
-    slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
+        /* dup them */
+        slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+        /* add our control */
+        slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+        ctrl = NULL; /* newsearchctrls owns it now */
+        /* set the controls in the pblock */
+        slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
+    }
+    ber_free(ctrlber, 1);
 
     return 0;
 }

More information about the 389-commits mailing list