Re: [squid-dev] [PATCH] Allow unlimited LDAP search filter for ext_ldap_group_acl helper

[Christos Tsantilas]

I am attaching a new release for this patch.
This patch include fixes requested by Amos, plus some other fixes.


On 11/02/2015 12:47 PM, Tsantilas Christos wrote:

Hi all,

The LDAP search filter in ext_ldap_group_acl is limited to 256 
characters. In some environments the user DN or group filter can be 
larger than this limitation.


This patch uses dynamic allocated buffers for LDAP search filters.

This is a Measurement Factory project


Allow unlimited LDAP search filter for ext_ldap_group_acl helper.

The LDAP search filter in ext_ldap_group_acl is limited to 256 characters.
In some environments the user DN or group filter can be larger than this
limitation.
This patch uses dynamic allocated buffers for LDAP search filters.

This is a Measurement Factory project

=== modified file 'helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc'
--- helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2015-09-07 17:44:33 +
+++ helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2015-11-05 20:48:17 +
@@ -17,62 +17,66 @@
  * and/or modify it under the terms of the GNU General Public License
  * as published by the Free Software Foundation; either version 2,
  * or (at your option) any later version.
  *
  * Authors:
  *  Flavio Pescuma 
  *  Henrik Nordstrom 
  *  MARA Systems AB, Sweden 
  *
  * With contributions from others mentioned in the ChangeLog file
  *
  * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
  *
  * Latest version of this program can always be found from MARA Systems
  * at http://marasystems.com/download/LDAP_Group/
  *
  * Dependencies: You need to get the OpenLDAP libraries
  * from http://www.openldap.org or use another compatible
  * LDAP C-API library.
  *
  * If you want to make a TLS enabled connection you will also need the
  * OpenSSL libraries linked into openldap. See http://www.openssl.org/
  */
 #include "squid.h"
 #include "helpers/defines.h"
 #include "rfc1738.h"
 #include "util.h"
 
 #define LDAP_DEPRECATED 1
 
+#include 
 #include 
 #include 
+#include 
+#include 
+#include 
 
 #if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #define snprintf _snprintf
 #include 
 #include 
 #ifndef LDAPAPI
 #define LDAPAPI __cdecl
 #endif
 #ifdef LDAP_VERSION3
 #ifndef LDAP_OPT_X_TLS
 #define LDAP_OPT_X_TLS 0x6000
 #endif
 /* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
  * run time.
  */
 #undef ldap_start_tls_s
 #if LDAP_UNICODE
 #define LDAP_START_TLS_S "ldap_start_tls_sW"
 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
 #else
 #define LDAP_START_TLS_S "ldap_start_tls_sA"
 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
 #endif /* LDAP_UNICODE */
 PFldap_start_tls_s Win32_ldap_start_tls_s;
 #define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l,NULL,NULL,s,c)
 #endif /* LDAP_VERSION3 */
 
 #else
 
@@ -583,250 +587,227 @@
 break;
 } else {
 if (tryagain) {
 tryagain = 0;
 ldap_unbind(ld);
 ld = NULL;
 goto recover;
 }
 }
 }
 if (found)
 SEND_OK("");
 else {
 SEND_ERR("");
 }
 
 if (ld != NULL) {
 if (!persistent || (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
 ldap_unbind(ld);
 ld = NULL;
 } else {
 tryagain = 1;
 }
 }
 }
 if (ld)
 ldap_unbind(ld);
 return 0;
 }
 
-static int
-ldap_escape_value(char *escaped, int size, const char *src)
+static std::string
+ldap_escape_value(const std::string )
 {
-int n = 0;
-while (size > 4 && *src) {
-switch (*src) {
-case '*':
-case '(':
-case ')':
-case '\\':
-n += 3;
-size -= 3;
-if (size > 0) {
-*escaped = '\\';
-++escaped;
-snprintf(escaped, 3, "%02x", (unsigned char) *src);
-++src;
-escaped += 2;
-}
-break;
-default:
-*escaped = *src;
-++escaped;
-++src;
-++n;
---size;
+std::stringstream str;
+for (const auto  : src) {
+switch (c) {
+case '*':
+case '(':
+case ')':
+case '\\':
+str << '\\' << std::setfill('0') << std::setw(2) << std::hex << static_cast(c);
+break;
+default:
+str << c;
 }
 }
-*escaped = '\0';
-return n;
+return str.str();
 }
 
-static int
-build_filter(char 

Re: [squid-dev] [PATCH] Allow unlimited LDAP search filter for ext_ldap_group_acl helper

[Amos Jeffries]

On 2/11/2015 11:47 p.m., Tsantilas Christos wrote:
> Hi all,
> 
> The LDAP search filter in ext_ldap_group_acl is limited to 256
> characters. In some environments the user DN or group filter can be
> larger than this limitation.
> 
> This patch uses dynamic allocated buffers for LDAP search filters.
> 
> This is a Measurement Factory project
> 


Audit:

* please add the new stdlib #include's alphabetically in that list if
possible.


* ldap_escape_value() would be simpler with C++11 syntax:

  std::stringstream str;
  for (const auto  : src) {
  escape_character(c, str);
  }
  return str.str();

- at which point there is actually no need for the escape_character()
function to exist. The switch can be re-inlined to the loop body to
further reduce the code.


* please do not use C-style casting in new code.
 - I see at least "(int)c" in the escape_character() function.


* in searchLDAPGroup()
 - s/searchbase =build_searchbase/searchbase = build_searchbase/


* Please use std::cerr in C++'ified code
 - fprintf(stderr,... still being used in new/updated code of searchLDAP()

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev