ITS#9251 make max filter depth configurable

2024-12-27 03:20:22 +08:00 · 2021-03-22 17:31:13 +00:00 · 2021-03-22 17:31:13 +00:00 · f1ebb45695
commit f1ebb45695
parent da57548e52
7 changed files with 18 additions and 5 deletions
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@ -689,6 +689,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B olcMaxFilterDepth: <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B olcPasswordCryptSaltFormat: <format>
 Specify the format of the salt passed to
 .BR crypt (3)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -743,6 +743,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B maxfilterdepth <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B moduleload <filename>
 Specify the name of a dynamically loadable module to load. The filename
 may be an absolute path name or a simple filename. Non-absolute names
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -480,6 +480,10 @@ static ConfigTable config_back_cf_table[] = {
 		&config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' "
 			"EQUALITY integerMatch "
 			"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+	{ "maxFilterDepth", "depth", 2, 2, 0, ARG_INT,
+		&slap_max_filter_depth, "( OLcfgGlAt:101 NAME 'olcMaxFilterDepth' "
+			"EQUALITY integerMatch "
+			"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER,
 		&config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) "
 			"EQUALITY booleanMatch "
@ -952,6 +956,7 @@ static ConfigOCs cf_ocs[] = {
 		 "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ "
 		 "olcIndexIntLen $ "
 		 "olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ "
+		 "olcMaxFilterDepth $ "
 		 "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ "
 		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -84,6 +84,8 @@ ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH;
 int	slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT;
 int	slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH;

+int	slap_max_filter_depth = SLAP_MAX_FILTER_DEPTH_DEFAULT;
+
 char   *slapd_pid_file  = NULL;
 char   *slapd_args_file = NULL;

--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@ -37,10 +37,6 @@
 const Filter *slap_filter_objectClass_pres;
 const struct berval *slap_filterstr_objectClass_pres;

-#ifndef SLAPD_MAX_FILTER_DEPTH
-#define SLAPD_MAX_FILTER_DEPTH	5000
-#endif
-
 static int	get_filter_list(
 	Operation *op,
 	BerElement *ber,
@ -132,7 +128,7 @@ get_filter0(
 	 *
 	 */

-	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
+	if( depth > slap_max_filter_depth ) {
 		*text = "filter nested too deeply";
 		return SLAPD_DISCONNECT;
 	}
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -2067,6 +2067,7 @@ LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming;
 LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth;
 LDAP_SLAPD_V (int)		slap_conn_max_pending;
 LDAP_SLAPD_V (int)		slap_conn_max_pending_auth;
+LDAP_SLAPD_V (int)		slap_max_filter_depth;

 LDAP_SLAPD_V (slap_mask_t)	global_allows;
 LDAP_SLAPD_V (slap_mask_t)	global_disallows;
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -143,6 +143,7 @@ LDAP_BEGIN_DECL

 #define SLAP_CONN_MAX_PENDING_DEFAULT	100
 #define SLAP_CONN_MAX_PENDING_AUTH	1000
+#define SLAP_MAX_FILTER_DEPTH_DEFAULT	1000

 #define SLAP_TEXT_BUFLEN (256)