From: Alan T. DeKok <aland@freeradius.org>
Date: Sun, 17 Sep 2023 13:46:41 +0000 (-0400)
Subject: catch corner case for -=
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd45f8dcea32c572a711248c4927a830a0ab5ae3;p=thirdparty%2Ffreeradius-server.git

catch corner case for -=

	&control -= {
		&Password.Cleartext == 'oracle01'	# ERROR
	 }

the edit code doesn't do this correctly (yet).  Add a test case
which catches it and complains, instead of dogn the wrong thing.
It's also not clear what is meant by the above.  Do we need to
delete &Password, too?
---

diff --git a/src/lib/unlang/compile.c b/src/lib/unlang/compile.c
index 639b5af7ea5..05151fa6622 100644
--- a/src/lib/unlang/compile.c
+++ b/src/lib/unlang/compile.c
@@ -1554,12 +1554,22 @@ static unlang_t *compile_edit_section(unlang_t *parent, unlang_compile_t *unlang
 		/*
 		 *	As a set of fixups... we can't do array references in -=
 		 */
-		for (child = map_list_head(&map->child); child != NULL; child = map_list_next(&map->child, child)) {
-			if (!tmpl_is_attr(child->lhs)) continue;
+		if (map->op == T_OP_SUB_EQ) {
+			for (child = map_list_head(&map->child); child != NULL; child = map_list_next(&map->child, child)) {
+				if (!tmpl_is_attr(child->lhs)) continue;
 
-			if (tmpl_attr_tail_num(child->lhs) != NUM_UNSPEC) {
-				cf_log_err(child->ci, "Cannot use array references and values when deleting from a list");
-				goto fail;
+				if (tmpl_attr_tail_num(child->lhs) != NUM_UNSPEC) {
+					cf_log_err(child->ci, "Cannot use array references and values when deleting from a list");
+					goto fail;
+				}
+
+				/*
+				 *	The edit code doesn't do this correctly, so we just forbid it.
+				 */
+				if (tmpl_attr_num_elements(child->lhs) > 1) {
+					cf_log_err(child->ci, "List deletion must operate directly on the final child");
+					goto fail;
+				}
 			}
 		}
 	} else {
diff --git a/src/tests/keywords/edit-list-remove-error b/src/tests/keywords/edit-list-remove-error
new file mode 100644
index 00000000000..26542349538
--- /dev/null
+++ b/src/tests/keywords/edit-list-remove-error
@@ -0,0 +1,8 @@
+#
+#  The edit code doesn't do this yet.
+#
+#  Instead of doing something wrong, we forbid it with a descriptive error.
+#
+&control -= {
+	&Password.Cleartext == 'oracle01'	# ERROR
+}
\ No newline at end of file