From 019b2c69bd5b8cf8fa9a21bd5c4479204b27cb36 Mon Sep 17 00:00:00 2001
From: Valery Kharseko <vharseko@3a-systems.ru>
Date: Wed, 08 Jul 2026 16:05:46 +0000
Subject: [PATCH] [#665] Fix StackOverflowError while parsing long ACI with repetitive targets (#666)
---
opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciTargets.java | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciTargets.java b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciTargets.java
index 79c6f29..f7e34d2 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciTargets.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciTargets.java
@@ -13,6 +13,7 @@
*
* Copyright 2008-2010 Sun Microsystems, Inc.
* Portions Copyright 2013-2016 ForgeRock AS.
+ * Portions Copyright 2026 3A Systems, LLC
*/
package org.opends.server.authorization.dseecompat;
@@ -63,16 +64,19 @@
/** Regular expression used to match a single target rule. */
private static final String targetRegex =
- OPEN_PAREN + ZERO_OR_MORE_WHITESPACE + WORD_GROUP +
- ZERO_OR_MORE_WHITESPACE + "(!?=)" + ZERO_OR_MORE_WHITESPACE +
- "\"([^\"]+)\"" + ZERO_OR_MORE_WHITESPACE + CLOSED_PAREN +
- ZERO_OR_MORE_WHITESPACE;
+ OPEN_PAREN + ZERO_OR_MORE_WHITESPACE_POSSESSIVE + WORD_GROUP_POSSESSIVE +
+ ZERO_OR_MORE_WHITESPACE_POSSESSIVE + "(!?=)" + ZERO_OR_MORE_WHITESPACE_POSSESSIVE +
+ "\"([^\"]+)\"" + ZERO_OR_MORE_WHITESPACE_POSSESSIVE + CLOSED_PAREN +
+ ZERO_OR_MORE_WHITESPACE_POSSESSIVE;
/**
* Regular expression used to match one or more target rules. The pattern is
- * part of a general ACI verification.
+ * part of a general ACI verification. The possessive quantifiers make the
+ * regex engine match the repetition iteratively, so an ACI with thousands
+ * of repeated target rules is rejected instead of overflowing the stack
+ * (issue #665).
*/
- static final String targetsRegex = "(" + targetRegex + ")*";
+ static final String targetsRegex = "(" + targetRegex + ")*+";
/**
* Rights that are skipped for certain target evaluations.
--
Gitblit v1.10.0