> dirsrvtests/tests/tickets/ticket48896_test.py | 181 ++++++++++++++++++++++++++
> ldap/servers/slapd/modify.c | 3
> ldap/servers/slapd/pw.c | 43 ++++--
> ldap/servers/slapd/slapi-plugin.h | 4
> ldap/servers/slapd/utf8.c | 46 ++++++
> 5 files changed, 266 insertions(+), 11 deletions(-)
>
>commit 054f3ce507650935a54582141abac235fd1b0c00
>Author: Noriko Hosoi <nhosoi@redhat.com>
>Date: Wed Jun 22 17:38:08 2016 -0700
>
> Ticket #48896 - Default Setting for passwordMinTokenLength does not work
>
> Description: passwordMinTokenLength is supposed to be used for the
> length of comparison between the substring of obvious strings and
> a new password. But it was not used to generate substrings. This
> patch implements it.
>
> Also, old_pw was leaked in modify if password history was not enabled.
>
> https://fedorahosted.org/389/ticket/48896
>
> Reviewed by mreynolds@redhat.com (Thank you, Mark!)
>
>diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
>index 72f2db4..2be6930 100644
>--- a/ldap/servers/slapd/modify.c
>+++ b/ldap/servers/slapd/modify.c
>@@ -390,7 +390,8 @@ do_modify( Slapi_PBlock *pb )
> ldap_mods_free (normalized_mods, 1 /* Free the Array and the Elements */);
>
> free_and_return:;
>- slapi_ch_free ((void**)&rawdn);
>+ slapi_ch_free_string(&old_pw);
>+ slapi_ch_free_string(&rawdn);
> slapi_mods_done(&smods);
> }
>
>diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
>index 7658064..ed83ded 100644
>--- a/ldap/servers/slapd/pw.c
>+++ b/ldap/servers/slapd/pw.c
>@@ -621,7 +621,6 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
> /* update passwordHistory */
> if ( old_pw != NULL && pwpolicy->pw_history == 1 ) {
> (void)update_pw_history(pb, sdn, old_pw);
>- slapi_ch_free ( (void**)&old_pw );
> }
>
> /* Update the "pwdUpdateTime" attribute */
>@@ -1046,9 +1045,13 @@ retry:
> * This is because password policy assumes that there's only one
> * password in the userpassword attribute.
> */
>- *old_pw = slapi_ch_strdup(slapi_value_get_string(va[0]));
>+ if (old_pw) {
>+ *old_pw = slapi_ch_strdup(slapi_value_get_string(va[0]));
>+ }
> } else {
>- *old_pw = NULL;
>+ if (old_pw) {
>+ *old_pw = NULL;
>+ }
> }
> }
> }
>@@ -1472,13 +1475,13 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
> {
> /* Add new value to valueset */
> valp = slapi_value_new_berval( bvp );
>- slapi_valueset_add_value_ext( vs, valp, SLAPI_VALUE_FLAG_PASSIN );
>+ slapi_valueset_add_value_ext( vs, valp, SLAPI_VALUE_FLAG_PASSIN );
> valp = NULL;
> }
> }
> }
> /* Free smod */
>- slapi_mod_free(&smod);
>+ slapi_mod_free(&smod);
> smod = NULL;
> smodp = NULL;
> }
>@@ -1490,17 +1493,37 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
> (i != -1) && (valp != NULL);
> i = slapi_valueset_next_value( vs, i, &valp) )
> {
>+ char *sp, *ep, *wp;
>+ int found = 0;
> /* If the value is smaller than the max token length,
> * we don't need to check the password */
> if ( (int)ldap_utf8characters(slapi_value_get_string( valp )) < toklen )
> continue;
>
>+ sp = slapi_ch_strdup(slapi_value_get_string(valp));
>+ ep = sp + strlen(sp);
>+ ep = ldap_utf8prevn(sp, ep, toklen);
>+ if (!ep || (sp >= ep)) {
>+ continue;
>+ }
> /* See if the password contains the value */
>- if ( PL_strcasestr( slapi_value_get_string( vals[0] ),
>- slapi_value_get_string( valp ) ) )
>- {
>- if ( pwresponse_req == 1 )
>- {
>+ for (wp = sp; wp && (wp <= ep); wp = ldap_utf8next(wp)) {
>+ char *tp = ldap_utf8nextn(wp, toklen);
>+ char c;
>+ if (tp) {
>+ c = *tp;
>+ *tp = '\0';
>+ } else {
>+ break;
>+ }
>+ if (PL_strcasestr(slapi_value_get_string(vals[0]), wp)) {
>+ found = 1;
>+ }
>+ *tp = c;
>+ }
>+ slapi_ch_free_string(&sp);
>+ if (found) {
>+ if ( pwresponse_req == 1 ) {
> slapi_pwpolicy_make_response_control ( pb, -1, -1,
> LDAP_PWPOLICY_INVALIDPWDSYNTAX );
> }
>diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
>index 89853c0..7022e59 100644
>--- a/ldap/servers/slapd/slapi-plugin.h
>+++ b/ldap/servers/slapd/slapi-plugin.h
>@@ -7455,6 +7455,10 @@ int ldap_utf8len( const char* );
> char *ldap_utf8next( char* );
> /* find previous character */
> char *ldap_utf8prev( char* );
>+/* find n-th character */
>+char *ldap_utf8nextn (char* s, int n);
>+/* find n-th previous character from "from" */
>+char *ldap_utf8prevn (char *s, char *from, int n);
These new functions are defined inside #if defined(USE_OPENLDAP)
I'm not sure whether you care or not
but this patch broke a build with mozldap.
sh$ make V=0 -j4
make all-am
make[1]: Entering directory '/tmp/ds'
GEN libacl-plugin.la
CCLD mmldif-bin
CCLD pwdhash-bin
CCLD migratecred-bin
./.libs/libslapd.so: undefined reference to `ldap_utf8nextn'
./.libs/libslapd.so: undefined reference to `ldap_utf8prevn'
collect2: error: ld returned 1 exit status
Makefile:5175: recipe for target 'mmldif-bin' failed
make[1]: *** [mmldif-bin] Error 1
make[1]: *** Waiting for unfinished jobs....
./.libs/libslapd.so: undefined reference to `ldap_utf8nextn'
./.libs/libslapd.so: undefined reference to `ldap_utf8prevn'
collect2: error: ld returned 1 exit status
./.libs/libslapd.so: undefined reference to `ldap_utf8nextn'
./.libs/libslapd.so: undefined reference to `ldap_utf8prevn'
collect2: error: ld returned 1 exit status
Makefile:5282: recipe for target 'pwdhash-bin' failed
make[1]: *** [pwdhash-bin] Error 1
Makefile:5168: recipe for target 'migratecred-bin' failed
make[1]: *** [migratecred-bin] Error 1
make[1]: Leaving directory '/tmp/ds'
Makefile:3242: recipe for target 'all' failed
make: *** [all] Error 2
LS
--
389-devel mailing list
389-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org
No comments:
Post a Comment