From 138422cbe968e701f6c1c9afd9bda3bdc13d02ee Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Fri, 12 Sep 2025 13:20:09 +0300 Subject: [PATCH] ITS#10388 ldif_parse_line2 is not compliant with RFC2849 --- libraries/libldap/ldif.c | 14 ++- tests/data/regressions/its10388/its10388 | 139 +++++++++++++++++++++++ 2 files changed, 150 insertions(+), 3 deletions(-) create mode 100755 tests/data/regressions/its10388/its10388 diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c index 3141a35b20..1dc48b491b 100644 --- a/libraries/libldap/ldif.c +++ b/libraries/libldap/ldif.c @@ -149,9 +149,17 @@ ldif_parse_line2( b64 = 1; } - /* skip space between : and value */ - while ( isspace( (unsigned char) *s ) ) { - s++; + /* if value is b64, skip any white-space characters between : and value, + they are obviously not part of the value. + Otherwise skip any spaces (0x20) */ + if ( b64 || url ) { + while ( isspace( (unsigned char) *s ) ) { + s++; + } + } else { + while ( *s == ' ' ) { + s++; + } } /* check for continued line markers that should be deleted */ diff --git a/tests/data/regressions/its10388/its10388 b/tests/data/regressions/its10388/its10388 new file mode 100755 index 0000000000..5079a34ec3 --- /dev/null +++ b/tests/data/regressions/its10388/its10388 @@ -0,0 +1,139 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2025 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh +## According to RFC2849 +## SAFE-CHAR = %x01-09 / %x0B-0C / %x0E-7F +## ; any value <= 127 decimal except NUL, LF, +## ; and CR +## SAFE-INIT-CHAR = %x01-09 / %x0B-0C / %x0E-1F / +## %x21-39 / %x3B / %x3D-7F +## SAFE-STRING = [SAFE-INIT-CHAR *SAFE-CHAR] + +MODDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" +MODLDIF="dn: $MODDN +changetype: modify +add: carLicense +#space before value - this is not a valid starting character and we assume that multiple spaces +#are likely just padding, so they will be removed +carLicense: 123456 +#tabs at start of value - any char from SAFE-INIT-CHAR is valid +#there will be accepted as part of the value +carlicense: \011\011987654 +#tabs inside value - they are valid characters anywhere in the value +#and should be accepted. This case is to verify that the patch does +#not affect any current behavior +carLicense: 123\01167 +#VT at start - any char from SAFE-INIT-CHAR is valid +#there will be accepted as part of the value +carLicense: \01365768 +#base64 values - white space should still be cleared +#we assume that any characters that are part of the value +#have been encoded, and so any white-space before the start +#of value is quietly removed +#ldapsearch will return thes value non-encoded, as it does not have any non-printable chars +carLicense:: \011\013MzI5NDc4OQ==" + +printf "$MODLDIF" > $TESTDIR/mod_ldif.ldif + +mkdir -p $TESTDIR $DBDIR1 +echo "Running slapadd to build slapd database..." +. $CONFFILTER $BACKEND < $CONF > $CONF1 +$SLAPADD -f $CONF1 -l $LDIFORDERED +RC=$? +if test $RC != 0 ; then + echo "slapadd failed ($RC)!" + exit $RC +fi + +echo "Starting slapd on TCP/IP port $PORT1..." +$SLAPD -f $CONF1 -h $URI1 -d $LVL > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" + +sleep 1 + +echo "Testing slapd modify operations..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing modify with various values..." + +$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $TESTDIR/mod_ldif.ldif > \ + $TESTOUT 2>&1 + +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Using ldapsearch to retrieve all the entries..." +$LDAPSEARCH -S "" -b "$MODDN" -H $URI1 \ + 'objectClass=*' 'carLicense' > $SEARCHOUT 2>&1 + +RC=$? +test $KILLSERVERS != no && kill -HUP $KILLPIDS +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + exit $RC +fi + +echo "Filtering ldapsearch results..." +$LDIFFILTER < $SEARCHOUT > $SEARCHFLT +echo "Filtering expected results..." +$LDIFFILTER < $LDIFFLT +dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc + =com +carLicense: 123456 +carLicense:: CQk5ODc2NTQ= +carLicense:: MTIzCTY3 +carLicense:: CzY1NzY4 +carLicense: 3294789 + +EOF +echo "Comparing filter output..." +$CMP $SEARCHFLT $LDIFFLT > $CMPOUT + +if test $? != 0 ; then + echo "comparison failed - modify operations did not complete correctly" + exit 1 +fi + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0 -- 2.47.3