From 0f64b72a0025b43ec62220a079b4a16e671932a3 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 1 Dec 2001 16:28:21 +0000 Subject: [PATCH] paranoid check for escaped dn separators when naively checking for rdn boundary --- servers/slapd/acl.c | 12 ++++++------ servers/slapd/backend.c | 2 +- servers/slapd/limits.c | 2 +- servers/slapd/slap.h | 1 + 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f2b9d36cae..7c8a3a0a95 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -352,7 +352,7 @@ acl_get( if ( dnlen <= patlen ) continue; - if ( e->e_ndn[dnlen - patlen - 1] != ',' ) + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) continue; rdn = dn_rdn( NULL, e->e_ndn ); @@ -364,13 +364,13 @@ acl_get( continue; } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { - if ( dnlen > patlen && e->e_ndn[dnlen - patlen - 1] != ',' ) + if ( dnlen > patlen && ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) ) continue; } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) { if ( dnlen <= patlen ) continue; - if ( e->e_ndn[dnlen - patlen - 1] != ',' ) + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) continue; } @@ -559,7 +559,7 @@ acl_mask( if ( odnlen <= patlen ) continue; - if ( op->o_ndn[odnlen - patlen - 1] != ',' ) + if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) ) continue; rdn = dn_rdn( NULL, op->o_ndn ); @@ -571,13 +571,13 @@ acl_mask( continue; } else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) { - if ( odnlen > patlen && op->o_ndn[odnlen - patlen - 1] != ',' ) + if ( odnlen > patlen && ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) ) ) continue; } else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) { if ( odnlen <= patlen ) continue; - if ( op->o_ndn[odnlen - patlen - 1] != ',' ) + if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) ) continue; } diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 86a787b76f..85ce098374 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -525,7 +525,7 @@ select_backend( } - if ( len && len < dnlen && !DN_SEPARATOR( dn[(dnlen-len)-1] ) ) { + if ( len && len < dnlen && ( !DN_SEPARATOR( dn[(dnlen-len)-1] ) || DN_ESCAPE( dn[(dnlen-len)-2] ) ) ) { /* make sure we have a separator */ continue; } diff --git a/servers/slapd/limits.c b/servers/slapd/limits.c index 65f87d87f7..f45785921d 100644 --- a/servers/slapd/limits.c +++ b/servers/slapd/limits.c @@ -68,7 +68,7 @@ get_limits( } } else { /* check for unescaped rdn separator */ - if ( !DN_SEPARATOR( ndn[d-1] ) || SLAP_ESCAPE_CHAR == ndn[d-2] ) { + if ( !DN_SEPARATOR( ndn[d-1] ) || DN_ESCAPE( ndn[d-2] ) ) { break; } } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index cd7909aeb6..25ba691f61 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -85,6 +85,7 @@ LDAP_BEGIN_DECL #define FILTER_ESCAPE(c) ( (c) == '*' || (c) == '\\' \ || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) +#define DN_ESCAPE(c) ((c) == SLAP_ESCAPE_CHAR) #define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') #define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */ #define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c))