[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-commits
Subject: [389-commits] Branch '389-ds-base-1.2.11' - ldap/servers
From: Noriko Hosoi <nhosoi () fedoraproject ! org>
Date: 2013-03-28 18:12:05
Message-ID: 20130328181205.F36D71C23 () fedorahosted ! org
[Download RAW message or body]
ldap/servers/slapd/search.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 5a18c828533a670e7143327893f8171a19062286
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu Mar 28 11:08:18 2013 -0700
Ticket #47308 - unintended information exposure when anonymous access is set to rootdse
Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f6397113666f06848412bb12f754f04258cfa5fa).
Fix description: This patch adds the search base check back.
Note: CVE-2013-1897
https://fedorahosted.org/389/ticket/47308
Reviewed by Rich, Noriko and Mark.
(cherry picked from commit 4b2d700b77c1d4a0a2ad6592e2296068a200cbdd)
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index c3d51d6..7719727 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -141,7 +141,7 @@ do_search( Slapi_PBlock *pb )
/* If anonymous access is only allowed for searching the root DSE,
* we need to reject any other anonymous search attempts. */
if ((slapi_sdn_get_dn(&(operation->o_sdn)) == NULL) &&
- (scope != LDAP_SCOPE_BASE) &&
+ ((rawbase && strlen(rawbase) > 0) || (scope != LDAP_SCOPE_BASE)) &&
(config_get_anon_access_switch() == SLAPD_ANON_ACCESS_ROOTDSE)) {
op_shared_log_error_access(pb, "SRCH", rawbase?rawbase:"",
"anonymous search not allowed");
--
389 commits mailing list
389-commits@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-commits
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic