mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
Replace HACK in slap_sasl_canonicalize with safer test.
This commit is contained in:
parent
ab80b03057
commit
73207c7110
@ -818,17 +818,24 @@ slap_sasl_canonicalize(
|
||||
if ( auxvals[which].values )
|
||||
goto done;
|
||||
|
||||
if ( flags == SASL_CU_AUTHZID ) {
|
||||
/* If we got unqualified authzid's, they probably came from SASL
|
||||
* itself just passing the authcid to us. Look inside the oparams
|
||||
* structure to see if that's true. (HACK: the out_len pointer is
|
||||
* the address of a member of a sasl_out_params_t structure...)
|
||||
/* Normally we require an authzID to have a u: or dn: prefix.
|
||||
* However, SASL frequently gives us an authzID that is just
|
||||
* an exact copy of the authcID, without a prefix. We need to
|
||||
* detect and allow this condition. If SASL calls canonicalize
|
||||
* with SASL_CU_AUTHID|SASL_CU_AUTHZID this is a no-brainer.
|
||||
* But if it's broken into two calls, we need to remember the
|
||||
* authcID so that we can compare the authzID later. We store
|
||||
* the authcID temporarily in conn->c_sasl_dn. We necessarily
|
||||
* finish Canonicalizing before Authorizing, so there is no
|
||||
* conflict with slap_sasl_authorize's use of this temp var.
|
||||
*/
|
||||
sasl_out_params_t dummy;
|
||||
int offset = (void *)&dummy.ulen - (void *)&dummy.authid;
|
||||
char **authid = (void *)out_len - offset;
|
||||
if ( *authid && !strcmp( in, *authid ) )
|
||||
goto done;
|
||||
if ( flags == SASL_CU_AUTHID ) {
|
||||
conn->c_sasl_dn.bv_val = in;
|
||||
} else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) {
|
||||
rc = strcmp( in, conn->c_sasl_dn.bv_val );
|
||||
conn->c_sasl_dn.bv_val = NULL;
|
||||
/* They were equal, no work needed */
|
||||
if ( !rc ) goto done;
|
||||
}
|
||||
|
||||
rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn,
|
||||
|
Loading…
Reference in New Issue
Block a user