From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 22 Sep 2023 00:02:56 +0000 (+1200)
Subject: libcl/security: conditional ACE sddl >= ops take literal parens only
X-Git-Tag: tevent-0.16.0~404
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=310c25404b92bf155f375070b1bb637b0f0d6bcf;p=thirdparty%2Fsamba.git

libcl/security: conditional ACE sddl >= ops take literal parens only

You can't do things like '(a == b) == (c < d)'.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index c6da72003e6..1bd074eb428 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -64,7 +64,7 @@
 			      SDDL_FLAG_IS_UNARY_OP)
 
 #define SDDL_FLAGS_RELATIONAL_OP (SDDL_FLAG_EXPECTING_LITERAL | \
-				  SDDL_FLAG_EXPECTING_PAREN |	\
+				  SDDL_FLAG_EXPECTING_PAREN_LITERAL |  \
 				  SDDL_FLAG_EXPECTING_NON_LOCAL_ATTR | \
 				  SDDL_FLAG_IS_BINARY_OP)
 
@@ -2532,10 +2532,10 @@ static bool parse_expression(struct ace_condition_sddl_compiler_context *comp)
 
 	if (comp->state & SDDL_FLAG_EXPECTING_PAREN_LITERAL) {
 		/*
-		 * Syntctically we allow parentheses to wrap a literal
-		 * value after a Member_of op, but we want to remember
-		 * that it just wants a single literal, not a general
-		 * expression.
+		 * Syntactically we allow parentheses to wrap a
+		 * literal value after a Member_of or >= op, but we
+		 * want to remember that it just wants a single
+		 * literal, not a general expression.
 		 */
 		return parse_paren_literal(comp);
 	}
diff --git a/libcli/security/tests/test_sddl_conditional_ace.c b/libcli/security/tests/test_sddl_conditional_ace.c
index 529a8d59a92..df93bcda3be 100644
--- a/libcli/security/tests/test_sddl_conditional_ace.c
+++ b/libcli/security/tests/test_sddl_conditional_ace.c
@@ -778,6 +778,10 @@ static void test_a_number_of_invalid_strings(void **state)
 		"(\"x\" == \"x\")",
 		/* odd number of digits following '#' */
 		"(OctetStringType==#1#2#3##))",
+		/* empty expression */
+		"()",
+		/* relational op with with complex RHS */
+		"(@Device.bb == (@USER.x < 62))",
 	};
 	size_t i, length;
 	TALLOC_CTX *mem_ctx = talloc_new(NULL);