ignore attrs in search request that do not conform to RFC 4511 4.5.1.8. or standard track extensions (ITS#6819)

2025-01-24 13:24:56 +08:00 · 2011-02-01 23:13:58 +00:00 · 2011-02-01 23:13:58 +00:00 · e4fcc294fa
commit e4fcc294fa
parent 15c8ad1f46
3 changed files with 35 additions and 4 deletions
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@ -76,7 +76,7 @@ static int msad_range_hack = 0;

 static Attr_option *ad_find_option_definition( const char *opt, int optlen );

-static int ad_keystring(
+int ad_keystring(
 	struct berval *bv )
 {
 	ber_len_t i;
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -129,6 +129,7 @@ LDAP_SLAPD_F (int) slap_bv2ad LDAP_P((
 	const char **text ));

 LDAP_SLAPD_F (void) ad_destroy LDAP_P(( AttributeDescription * ));
+LDAP_SLAPD_F (int) ad_keystring LDAP_P(( struct berval *bv ));

 #define ad_cmp(l,r)	(((l)->ad_cname.bv_len < (r)->ad_cname.bv_len) \
 	? -1 : (((l)->ad_cname.bv_len > (r)->ad_cname.bv_len) \
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@ -156,10 +156,40 @@ do_search(
 		if ( slap_bv2ad( &op->ors_attrs[i].an_name,
 			&op->ors_attrs[i].an_desc, &dummy ) != LDAP_SUCCESS )
 		{
-			slap_bv2undef_ad( &op->ors_attrs[i].an_name,
+			if ( slap_bv2undef_ad( &op->ors_attrs[i].an_name,
 				&op->ors_attrs[i].an_desc, &dummy,
-				SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
-		};
+				SLAP_AD_PROXIED|SLAP_AD_NOINSERT ) )
+			{
+				struct berval *bv = &op->ors_attrs[i].an_name;
+
+				/* RFC 4511 LDAPv3: All User Attributes */
+				if ( bvmatch( bv, slap_bv_all_user_attrs ) ) {
+					continue;
+				}
+
+				/* RFC 3673 LDAPv3: All Operational Attributes */
+				if ( bvmatch( bv, slap_bv_all_operational_attrs ) ) {
+					continue;
+				}
+
+				/* RFC 4529 LDAP: Requesting Attributes by Object Class */
+				if ( bv->bv_len > 1 && bv->bv_val[0] == '@' ) {
+					/* FIXME: check if remaining is valid oc name? */
+					continue;
+				}
+
+				/* add more "exceptions" to RFC 4511 4.5.1.8. */
+
+				/* invalid attribute description? remove */
+				if ( ad_keystring( bv ) ) {
+					/* NOTE: parsed in-place, don't modify;
+					 * rather add "1.1", which must be ignored */
+					BER_BVSTR( &op->ors_attrs[i].an_name, LDAP_NO_ATTRS );
+				}
+
+				/* otherwise leave in place... */
+			}
+		}
 	}

 	if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {