On (31/08/16 23:38), Noriko Hosoi wrote: > dirsrvtests/tests/tickets/ticket48896_test.py | 181 ++++++++++++++++++++++++++ > ldap/servers/slapd/modify.c | 3 > ldap/servers/slapd/pw.c | 43 ++++-- > ldap/servers/slapd/slapi-plugin.h | 4 > ldap/servers/slapd/utf8.c | 46 ++++++ > 5 files changed, 266 insertions(+), 11 deletions(-) > >commit 054f3ce507650935a54582141abac235fd1b0c00 >Author: Noriko Hosoi <nhosoi@xxxxxxxxxx> >Date: Wed Jun 22 17:38:08 2016 -0700 > > Ticket #48896 - Default Setting for passwordMinTokenLength does not work > > Description: passwordMinTokenLength is supposed to be used for the > length of comparison between the substring of obvious strings and > a new password. But it was not used to generate substrings. This > patch implements it. > > Also, old_pw was leaked in modify if password history was not enabled. > > https://fedorahosted.org/389/ticket/48896 > > Reviewed by mreynolds@xxxxxxxxxx (Thank you, Mark!) > >diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c >index 72f2db4..2be6930 100644 >--- a/ldap/servers/slapd/modify.c >+++ b/ldap/servers/slapd/modify.c >@@ -390,7 +390,8 @@ do_modify( Slapi_PBlock *pb ) > ldap_mods_free (normalized_mods, 1 /* Free the Array and the Elements */); > > free_and_return:; >- slapi_ch_free ((void**)&rawdn); >+ slapi_ch_free_string(&old_pw); >+ slapi_ch_free_string(&rawdn); > slapi_mods_done(&smods); > } > >diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c >index 7658064..ed83ded 100644 >--- a/ldap/servers/slapd/pw.c >+++ b/ldap/servers/slapd/pw.c >@@ -621,7 +621,6 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) > /* update passwordHistory */ > if ( old_pw != NULL && pwpolicy->pw_history == 1 ) { > (void)update_pw_history(pb, sdn, old_pw); >- slapi_ch_free ( (void**)&old_pw ); > } > > /* Update the "pwdUpdateTime" attribute */ >@@ -1046,9 +1045,13 @@ retry: > * This is because password policy assumes that there's only one > * password in the userpassword attribute. > */ >- *old_pw = slapi_ch_strdup(slapi_value_get_string(va[0])); >+ if (old_pw) { >+ *old_pw = slapi_ch_strdup(slapi_value_get_string(va[0])); >+ } > } else { >- *old_pw = NULL; >+ if (old_pw) { >+ *old_pw = NULL; >+ } > } > } > } >@@ -1472,13 +1475,13 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char > { > /* Add new value to valueset */ > valp = slapi_value_new_berval( bvp ); >- slapi_valueset_add_value_ext( vs, valp, SLAPI_VALUE_FLAG_PASSIN ); >+ slapi_valueset_add_value_ext( vs, valp, SLAPI_VALUE_FLAG_PASSIN ); > valp = NULL; > } > } > } > /* Free smod */ >- slapi_mod_free(&smod); >+ slapi_mod_free(&smod); > smod = NULL; > smodp = NULL; > } >@@ -1490,17 +1493,37 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char > (i != -1) && (valp != NULL); > i = slapi_valueset_next_value( vs, i, &valp) ) > { >+ char *sp, *ep, *wp; >+ int found = 0; > /* If the value is smaller than the max token length, > * we don't need to check the password */ > if ( (int)ldap_utf8characters(slapi_value_get_string( valp )) < toklen ) > continue; > >+ sp = slapi_ch_strdup(slapi_value_get_string(valp)); >+ ep = sp + strlen(sp); >+ ep = ldap_utf8prevn(sp, ep, toklen); >+ if (!ep || (sp >= ep)) { >+ continue; >+ } > /* See if the password contains the value */ >- if ( PL_strcasestr( slapi_value_get_string( vals[0] ), >- slapi_value_get_string( valp ) ) ) >- { >- if ( pwresponse_req == 1 ) >- { >+ for (wp = sp; wp && (wp <= ep); wp = ldap_utf8next(wp)) { >+ char *tp = ldap_utf8nextn(wp, toklen); >+ char c; >+ if (tp) { >+ c = *tp; >+ *tp = '\0'; >+ } else { >+ break; >+ } >+ if (PL_strcasestr(slapi_value_get_string(vals[0]), wp)) { >+ found = 1; >+ } >+ *tp = c; >+ } >+ slapi_ch_free_string(&sp); >+ if (found) { >+ if ( pwresponse_req == 1 ) { > slapi_pwpolicy_make_response_control ( pb, -1, -1, > LDAP_PWPOLICY_INVALIDPWDSYNTAX ); > } >diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h >index 89853c0..7022e59 100644 >--- a/ldap/servers/slapd/slapi-plugin.h >+++ b/ldap/servers/slapd/slapi-plugin.h >@@ -7455,6 +7455,10 @@ int ldap_utf8len( const char* ); > char *ldap_utf8next( char* ); > /* find previous character */ > char *ldap_utf8prev( char* ); >+/* find n-th character */ >+char *ldap_utf8nextn (char* s, int n); >+/* find n-th previous character from "from" */ >+char *ldap_utf8prevn (char *s, char *from, int n); These new functions are defined inside #if defined(USE_OPENLDAP) I'm not sure whether you care or not but this patch broke a build with mozldap. sh$ make V=0 -j4 make all-am make[1]: Entering directory '/tmp/ds' GEN libacl-plugin.la CCLD mmldif-bin CCLD pwdhash-bin CCLD migratecred-bin ./.libs/libslapd.so: undefined reference to `ldap_utf8nextn' ./.libs/libslapd.so: undefined reference to `ldap_utf8prevn' collect2: error: ld returned 1 exit status Makefile:5175: recipe for target 'mmldif-bin' failed make[1]: *** [mmldif-bin] Error 1 make[1]: *** Waiting for unfinished jobs.... ./.libs/libslapd.so: undefined reference to `ldap_utf8nextn' ./.libs/libslapd.so: undefined reference to `ldap_utf8prevn' collect2: error: ld returned 1 exit status ./.libs/libslapd.so: undefined reference to `ldap_utf8nextn' ./.libs/libslapd.so: undefined reference to `ldap_utf8prevn' collect2: error: ld returned 1 exit status Makefile:5282: recipe for target 'pwdhash-bin' failed make[1]: *** [pwdhash-bin] Error 1 Makefile:5168: recipe for target 'migratecred-bin' failed make[1]: *** [migratecred-bin] Error 1 make[1]: Leaving directory '/tmp/ds' Makefile:3242: recipe for target 'all' failed make: *** [all] Error 2 LS -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
