s4:dsdb/samldb: check for valid lDAPDisplayName vaues on add()

This still leaves modifies(), but that's a task for another day.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 2394bd9851e603942e53faf81b007d77468e1214..479f89ad9a422b8d595780544dd5d1fcecee9b49 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -683,6 +683,7 @@ static int samldb_fill_object(struct samldb_ctx *ac)
        }
 
        case SAMLDB_TYPE_CLASS: {
+               const char *lDAPDisplayName = NULL;
                const struct ldb_val *rdn_value, *def_obj_cat_val;
                unsigned int v = ldb_msg_find_attr_as_uint(ac->msg, "objectClassCategory", -2);
 
@@ -719,6 +720,20 @@ static int samldb_fill_object(struct samldb_ctx *ac)
                        }
                }
 
+               lDAPDisplayName = ldb_msg_find_attr_as_string(ac->msg,
+                                                             "lDAPDisplayName",
+                                                             NULL);
+               ret = ldb_valid_attr_name(lDAPDisplayName);
+               if (ret != 1 ||
+                   lDAPDisplayName[0] == '*' ||
+                   lDAPDisplayName[0] == '@')
+               {
+                       return dsdb_module_werror(ac->module,
+                                                 LDB_ERR_UNWILLING_TO_PERFORM,
+                                                 WERR_DS_INVALID_LDAP_DISPLAY_NAME,
+                                                 "lDAPDisplayName is invalid");
+               }
+
                if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) {
                        struct GUID guid;
                        /* a new GUID */
@@ -780,6 +795,7 @@ static int samldb_fill_object(struct samldb_ctx *ac)
        }
 
        case SAMLDB_TYPE_ATTRIBUTE: {
+               const char *lDAPDisplayName = NULL;
                const struct ldb_val *rdn_value;
                struct ldb_message_element *el;
                rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
@@ -797,6 +813,20 @@ static int samldb_fill_object(struct samldb_ctx *ac)
                        }
                }
 
+               lDAPDisplayName = ldb_msg_find_attr_as_string(ac->msg,
+                                                             "lDAPDisplayName",
+                                                             NULL);
+               ret = ldb_valid_attr_name(lDAPDisplayName);
+               if (ret != 1 ||
+                   lDAPDisplayName[0] == '*' ||
+                   lDAPDisplayName[0] == '@')
+               {
+                       return dsdb_module_werror(ac->module,
+                                                 LDB_ERR_UNWILLING_TO_PERFORM,
+                                                 WERR_DS_INVALID_LDAP_DISPLAY_NAME,
+                                                 "lDAPDisplayName is invalid");
+               }
+
                /* do not allow one to mark an attributeSchema as RODC filtered if it
                 * is system-critical */
                if (check_rodc_critical_attribute(ac->msg)) {