From cdcac0e270621dfd7dc2ef0b8caaaa15c0ed72c5 Mon Sep 17 00:00:00 2001 From: Niklas Abel Date: Tue, 9 Aug 2016 11:25:14 -0700 Subject: [PATCH] s4: ldap: Ignore searches with a suffix of ';binary'. FIXME: Does this violate RFC4522 ? https://www.ietf.org/rfc/rfc4522.txt Major contributions by: Volker Lendecke Signed-off-by: Niklas Abel Reviewed-by: Jeremy Allison --- source4/dsdb/samdb/ldb_modules/resolve_oids.c | 75 +++++++++++++++++++++++++++ source4/dsdb/tests/python/ldap_syntaxes.py | 7 +++ 2 files changed, 82 insertions(+) diff --git a/source4/dsdb/samdb/ldb_modules/resolve_oids.c b/source4/dsdb/samdb/ldb_modules/resolve_oids.c index b5c5f8e..75e40ee 100644 --- a/source4/dsdb/samdb/ldb_modules/resolve_oids.c +++ b/source4/dsdb/samdb/ldb_modules/resolve_oids.c @@ -440,6 +440,66 @@ static int resolve_oids_callback(struct ldb_request *req, struct ldb_reply *ares return LDB_SUCCESS; } +/** + * Strips suffix from an attribute, + * if there is any. +*/ +const static char *strip_suffix(const void *mem_ctx, const char *attr, + const char *suffix) +{ + size_t attr_length = 0; + size_t suffix_length = 0; + size_t new_attr_size = 0; + const char *tmp = NULL; + int cmp = -1; + + if (!attr || !*attr || !suffix || !*suffix) { + return talloc_strdup(mem_ctx, attr); + } + attr_length = strlen(attr); + suffix_length = strlen(suffix); + if (attr_length < suffix_length) { + return talloc_strdup(mem_ctx, attr); + } + new_attr_size = (attr_length - suffix_length); + tmp = attr + new_attr_size; + cmp = strcasecmp(suffix, tmp); + if (cmp == 0) { + return talloc_strndup(mem_ctx, attr, new_attr_size); + } + return talloc_strdup(mem_ctx, attr); +} + +/** + * Modified version of str_list_copy_const() which creates the new list without + * entries with a ";binary" tail. +*/ +static const char **str_list_copy_const_clean_suffix(TALLOC_CTX *mem_ctx, + const char **list) +{ + int i; + const char **ret; + + if (list == NULL) { + return NULL; + } + + ret = talloc_array(mem_ctx, const char *, str_list_length(list)+1); + if (ret == NULL) { + return NULL; + } + + for (i=0;list && list[i];i++) { + ret[i] = strip_suffix(list, list[i], ";binary"); + if (ret[i] == NULL) { + TALLOC_FREE(ret); + return NULL; + } + } + ret[i] = NULL; + return ret; +} + static int resolve_oids_search(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; @@ -449,9 +509,11 @@ static int resolve_oids_search(struct ldb_module *module, struct ldb_request *re struct resolve_oids_context *ac; int ret; bool needed = false; + bool needclean = false; const char * const *attrs1; const char **attrs2; unsigned int i; + const char ** cleaned_attrs; ldb = ldb_module_get_ctx(module); schema = dsdb_get_schema(ldb, NULL); @@ -479,6 +541,10 @@ static int resolve_oids_search(struct ldb_module *module, struct ldb_request *re const char *p; const struct dsdb_attribute *a; + p = strchr(attrs1[i], ';'); + if (p != NULL) { + needclean = true; + } p = strchr(attrs1[i], '.'); if (p == NULL) { continue; @@ -493,6 +559,15 @@ static int resolve_oids_search(struct ldb_module *module, struct ldb_request *re break; } + if (needclean) { + cleaned_attrs = str_list_copy_const_clean_suffix( + req, + discard_const_p(const char *, req->op.search.attrs)); + if (cleaned_attrs) { + req->op.search.attrs = cleaned_attrs; + } + } + if (!needed) { return ldb_next_request(module, req); } diff --git a/source4/dsdb/tests/python/ldap_syntaxes.py b/source4/dsdb/tests/python/ldap_syntaxes.py index 56a1755..762f66e 100755 --- a/source4/dsdb/tests/python/ldap_syntaxes.py +++ b/source4/dsdb/tests/python/ldap_syntaxes.py @@ -82,6 +82,13 @@ systemOnly: FALSE self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name) self.assertTrue("schemaIDGUID" in res[0]) + # search for created attribute with ";binary" suffix + res = [] + res = self.ldb.search("cn=%s,%s" % (attr_name+";binary", self.schema_dn), scope=SCOPE_BASE, attrs=["*"]) + self.assertEquals(len(res), 1) + self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name) + self.assertTrue("schemaIDGUID" in res[0]) + class_name = "test-Class-DN-String" + time.strftime("%s", time.gmtime()) class_ldap_display_name = class_name.replace("-", "") -- 2.8.0.rc3.226.g39d4020