This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch 389-ds-base-1.3.5 in repository 389-ds-base.
from f057563 Issue 49065 - dbmon.sh fails if you have nsslapd-require-secure-binds enabled new ee63e40 Issue 49095 - targetattr wildcard evaluation is incorrectly case sensitive
The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference.
Summary of changes: dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++ ldap/servers/plugins/acl/acl.c | 10 ++-- 2 files changed, 90 insertions(+), 5 deletions(-) create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.5 in repository 389-ds-base.
commit ee63e409ec6ff5afa19aed90673bf491d155df35 Author: Mark Reynolds mreynolds@redhat.com Date: Mon Mar 20 15:08:45 2017 -0400
Issue 49095 - targetattr wildcard evaluation is incorrectly case sensitive
Description: When processing an aci that uses a wildcard targetattr, the comparision should be done using case insensitive functions.
https://pagure.io/389-ds-base/issue/49095
Reviewed by: firstyear(Thanks!)
(cherry picked from commit fdf78dca6c34b32522443c82ddd4c3c7ef04da80) --- dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++ ldap/servers/plugins/acl/acl.c | 10 ++-- 2 files changed, 90 insertions(+), 5 deletions(-)
diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py new file mode 100644 index 0000000..04f92b2 --- /dev/null +++ b/dirsrvtests/tests/tickets/ticket49095_test.py @@ -0,0 +1,85 @@ +import time +import ldap +import logging +import pytest +from lib389 import DirSrv, Entry, tools, tasks +from lib389.tools import DirSrvTools +from lib389._constants import * +from lib389.properties import * +from lib389.tasks import * +from lib389.utils import * +from lib389.topologies import topology_st as topo + +DEBUGGING = os.getenv("DEBUGGING", default=False) +if DEBUGGING: + logging.getLogger(__name__).setLevel(logging.DEBUG) +else: + logging.getLogger(__name__).setLevel(logging.INFO) +log = logging.getLogger(__name__) + +USER_DN = 'uid=testuser,dc=example,dc=com' +acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', + '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', + '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', + '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)'] + + +def test_ticket49095(topo): + """Check that target attrbiutes with wildcards are case insensitive + """ + + # Add an entry + try: + topo.standalone.add_s(Entry((USER_DN, { + 'objectclass': 'top extensibleObject'.split(), + 'uid': 'testuser', + 'telephonenumber': '555-555-5555' + }))) + except ldap.LDAPError as e: + log.fatal('Failed to add test user: ' + e.message['desc']) + assert False + + for aci in acis: + # Add ACI + try: + topo.standalone.modify_s(DEFAULT_SUFFIX, + [(ldap.MOD_REPLACE, 'aci', aci)]) + + except ldap.LDAPError as e: + log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc']) + assert False + + # Set Anonymous Bind to test aci + try: + topo.standalone.simple_bind_s("", "") + except ldap.LDAPError as e: + log.fatal('Failed to bind anonymously: ' + e.message['desc']) + assert False + + # Search for entry - should not get any results + try: + entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE, + 'telephonenumber=*') + if entry: + log.fatal('The entry was incorrectly returned') + assert False + except ldap.LDAPError as e: + log.fatal('Failed to search anonymously: ' + e.message['desc']) + assert False + + # Set root DN Bind so we can update aci's + try: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + except ldap.LDAPError as e: + log.fatal('Failed to bind anonymously: ' + e.message['desc']) + assert False + + log.info("Test Passed") + + +if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s %s" % CURRENT_FILE) + diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index ba6b774..1caa88a 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) }
/* this assumes that str and the filter components are already - * normalized. If not, it shoul be done + * normalized. If not, it should be done */ if ( initial != NULL) { len = strlen(initial); if (exact_match) { - int rc = strncmp(p, initial, len); + int rc = strncasecmp(p, initial, len); if (rc) { return ACL_FALSE; } else { p += len; } } else { - p = strstr(p, initial); + p = strcasestr(p, initial); if (p) { p += len; } else { @@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
if ( any != NULL) { for (i = 0; any && any[i] != NULL; i++) { - p = strstr(p, any[i]); + p = strcasestr(p, any[i]); if (p) { p += strlen(any[i]); } else { @@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) len = strlen(final); tlen = strlen(p); if (len > tlen) return ACL_FALSE; - if (strcmp(p+tlen-len, final)) return ACL_FALSE; + if (strcasecmp(p+tlen-len, final)) return ACL_FALSE; }
return ACL_TRUE;
389-commits@lists.fedoraproject.org
-
git repository hosting