ITS#9251 make max filter depth configurable

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9e8b0c2523ce8f3fdfbb6b7c0bfd7045f3205c86..754fb348b7d2ce4608583cc35a1870a11be8af5a 100644 (file)
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -689,6 +689,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B olcMaxFilterDepth: <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B olcPasswordCryptSaltFormat: <format>
 Specify the format of the salt passed to
 .BR crypt (3)

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index bb94503622501800d9b54f0e0a4c3d8a73d3e42b..e8c536e80653e9810abf69fb0f619bcf7118d8eb 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -743,6 +743,10 @@ This level should usually also be included when using other loglevels, to
 help analyze the logs.
 .RE
 .TP
+.B maxfilterdepth <integer>
+Specify the maximum depth of nested filters in search requests.
+The default is 1000.
+.TP
 .B moduleload <filename>
 Specify the name of a dynamically loadable module to load. The filename
 may be an absolute path name or a simple filename. Non-absolute names

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index a54729aa81c4a38b057a8a957f6ea8b9636168be..249ea32ec538374875445d3b0c7bbddbe6fafa0d 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -480,6 +480,10 @@ static ConfigTable config_back_cf_table[] = {
                &config_generic, "( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' "
                        "EQUALITY integerMatch "
                        "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+       { "maxFilterDepth", "depth", 2, 2, 0, ARG_INT,
+               &slap_max_filter_depth, "( OLcfgGlAt:101 NAME 'olcMaxFilterDepth' "
+                       "EQUALITY integerMatch "
+                       "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
        { "multiprovider", "on|off", 2, 2, 0, ARG_DB|ARG_ON_OFF|ARG_MAGIC|CFG_MULTIPROVIDER,
                &config_generic, "( OLcfgDbAt:0.16 NAME ( 'olcMultiProvider' 'olcMirrorMode' ) "
                        "EQUALITY booleanMatch "
@@ -952,6 +956,7 @@ static ConfigOCs cf_ocs[] = {
                 "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexHash64 $ "
                 "olcIndexIntLen $ "
                 "olcListenerThreads $ olcLocalSSF $ olcLogFile $ olcLogLevel $ "
+                "olcMaxFilterDepth $ "
                 "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ "
                 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
                 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index f081de89dea8626f4eb60b469cb767523a5e68e1..74b51fb479598254071411fa8136f45b3eb9d750 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -84,6 +84,8 @@ ber_len_t sockbuf_max_incoming_auth= SLAP_SB_MAX_INCOMING_AUTH;
 int    slap_conn_max_pending = SLAP_CONN_MAX_PENDING_DEFAULT;
 int    slap_conn_max_pending_auth = SLAP_CONN_MAX_PENDING_AUTH;
 
+int    slap_max_filter_depth = SLAP_MAX_FILTER_DEPTH_DEFAULT;
+
 char   *slapd_pid_file  = NULL;
 char   *slapd_args_file = NULL;
 

diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
index d338704652a877229d0a7f86f4be77ade0cbbb69..c562c1d0e792efd98e78159234bd4574f5f84b43 100644 (file)
--- a/servers/slapd/filter.c
+++ b/servers/slapd/filter.c
@@ -37,10 +37,6 @@
 const Filter *slap_filter_objectClass_pres;
 const struct berval *slap_filterstr_objectClass_pres;
 
-#ifndef SLAPD_MAX_FILTER_DEPTH
-#define SLAPD_MAX_FILTER_DEPTH 5000
-#endif
-
 static int     get_filter_list(
        Operation *op,
        BerElement *ber,
@@ -132,7 +128,7 @@ get_filter0(
         *
         */
 
-       if( depth > SLAPD_MAX_FILTER_DEPTH ) {
+       if( depth > slap_max_filter_depth ) {
                *text = "filter nested too deeply";
                return SLAPD_DISCONNECT;
        }

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 1316f23b9d9ba3fbf9d4f80991cb008ee2389417..5fac0663eff360ee5b8121faebf656c710f1a59d 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -2067,6 +2067,7 @@ LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming;
 LDAP_SLAPD_V (ber_len_t) sockbuf_max_incoming_auth;
 LDAP_SLAPD_V (int)             slap_conn_max_pending;
 LDAP_SLAPD_V (int)             slap_conn_max_pending_auth;
+LDAP_SLAPD_V (int)             slap_max_filter_depth;
 
 LDAP_SLAPD_V (slap_mask_t)     global_allows;
 LDAP_SLAPD_V (slap_mask_t)     global_disallows;

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index ee0a7cd61f96483df32ce11f44978403e1a9c120..a5fe408dc6d2faa252132fdddb3794d893f1ad6a 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -143,6 +143,7 @@ LDAP_BEGIN_DECL
 
 #define SLAP_CONN_MAX_PENDING_DEFAULT  100
 #define SLAP_CONN_MAX_PENDING_AUTH     1000
+#define SLAP_MAX_FILTER_DEPTH_DEFAULT  1000
 
 #define SLAP_TEXT_BUFLEN (256)