From 7e7a1559e6d835db9dc861d891fa2070c21972dc Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Tue, 14 May 2013 16:05:08 +0000
Subject: [PATCH] CR-1688 Fix OPENDJ-905 X-SCHEMA-FILE should not allow directory path separators
---
opendj-sdk/opends/src/server/org/opends/server/schema/LDAPSyntaxDescriptionSyntax.java | 6 +++++-
opendj-sdk/opends/src/messages/messages/schema.properties | 2 ++
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/schema/AttributeTypeSyntaxTest.java | 9 ++++++++-
opendj-sdk/opends/src/server/org/opends/server/schema/AttributeTypeSyntax.java | 3 ++-
opendj-sdk/opends/src/server/org/opends/server/schema/ObjectClassSyntax.java | 5 +++--
opendj-sdk/opends/src/server/org/opends/server/types/CommonSchemaElements.java | 31 +++++++++++++++++++++++++++++++
6 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/opendj-sdk/opends/src/messages/messages/schema.properties b/opendj-sdk/opends/src/messages/messages/schema.properties
index 55ee97e..a421732 100644
--- a/opendj-sdk/opends/src/messages/messages/schema.properties
+++ b/opendj-sdk/opends/src/messages/messages/schema.properties
@@ -1076,3 +1076,5 @@
X.509 Certificate because it contains invalid DER encodings
MILD_ERR_ATTR_SYNTAX_COUNTRY_NO_VALID_ISO_CODE_333=The provided value "%s" \
is not a valid ISO 3166 country code
+SEVERE_ERR_ATTR_SYNTAX_ILLEGAL_X_SCHEMA_FILE_334=The provided value "%s" is \
+ not safe for X-SCHEMA-FILE
\ No newline at end of file
diff --git a/opendj-sdk/opends/src/server/org/opends/server/schema/AttributeTypeSyntax.java b/opendj-sdk/opends/src/server/org/opends/server/schema/AttributeTypeSyntax.java
index 2f467a9..16651d6 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/schema/AttributeTypeSyntax.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/schema/AttributeTypeSyntax.java
@@ -23,7 +23,7 @@
*
*
* Copyright 2006-2009 Sun Microsystems, Inc.
- * Portions Copyright 2011-2012 ForgeRock AS
+ * Portions Copyright 2011-2013 ForgeRock AS
*/
package org.opends.server.schema;
import org.opends.messages.Message;
@@ -1008,6 +1008,7 @@
throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, message);
}
+ CommonSchemaElements.checkSafeProperties(extraProperties);
return new AttributeType(value.toString(), primaryName, typeNames, oid,
description, superiorType, syntax,
diff --git a/opendj-sdk/opends/src/server/org/opends/server/schema/LDAPSyntaxDescriptionSyntax.java b/opendj-sdk/opends/src/server/org/opends/server/schema/LDAPSyntaxDescriptionSyntax.java
index 96dde40..76a2092 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/schema/LDAPSyntaxDescriptionSyntax.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/schema/LDAPSyntaxDescriptionSyntax.java
@@ -23,7 +23,7 @@
*
*
* Copyright 2006-2009 Sun Microsystems, Inc.
- * Portions Copyright 2011-2012 ForgeRock AS
+ * Portions Copyright 2011-2013 ForgeRock AS
*/
package org.opends.server.schema;
@@ -54,6 +54,7 @@
import org.opends.server.config.ConfigException;
import org.opends.server.types.ByteSequence;
import org.opends.server.types.ByteString;
+import org.opends.server.types.CommonSchemaElements;
import org.opends.server.types.DirectoryException;
import static org.opends.server.schema.SchemaConstants.*;
@@ -583,6 +584,9 @@
// Schema backend.
syntax = new LDAPSyntaxDescriptionSyntax();
}
+
+ CommonSchemaElements.checkSafeProperties(extraProperties);
+
//Since we reached here it means everything is OK.
return new LDAPSyntaxDescription(valueStr,syntax,
description,extraProperties);
diff --git a/opendj-sdk/opends/src/server/org/opends/server/schema/ObjectClassSyntax.java b/opendj-sdk/opends/src/server/org/opends/server/schema/ObjectClassSyntax.java
index 550d549..9a34eb6 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/schema/ObjectClassSyntax.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/schema/ObjectClassSyntax.java
@@ -23,7 +23,7 @@
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
- * Portions Copyright 2012 ForgeRock AS
+ * Portions Copyright 2012-2013 ForgeRock AS
*/
package org.opends.server.schema;
import org.opends.messages.Message;
@@ -49,6 +49,7 @@
import static org.opends.server.loggers.debug.DebugLogger.*;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.*;
+
import static org.opends.messages.SchemaMessages.*;
import org.opends.messages.MessageBuilder;
import static org.opends.server.schema.SchemaConstants.*;
@@ -953,7 +954,7 @@
}
}
-
+ CommonSchemaElements.checkSafeProperties(extraProperties);
return new ObjectClass(value.toString(), primaryName, names, oid,
description, superiorClasses, requiredAttributes,
diff --git a/opendj-sdk/opends/src/server/org/opends/server/types/CommonSchemaElements.java b/opendj-sdk/opends/src/server/org/opends/server/types/CommonSchemaElements.java
index 1f87664..2277031 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/types/CommonSchemaElements.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/types/CommonSchemaElements.java
@@ -23,9 +23,12 @@
*
*
* Copyright 2006-2009 Sun Microsystems, Inc.
+ * Portions Copyright 2013 ForgeRock AS
*/
package org.opends.server.types;
+import org.opends.messages.Message;
+import static org.opends.messages.SchemaMessages.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.toLowerCase;
import static org.opends.server.util.Validator.*;
@@ -188,6 +191,34 @@
/**
+ * Check if the extra schema properties contain safe filenames.
+ *
+ * @param extraProperties
+ * The schema properties to check.
+ *
+ * @throws DirectoryException
+ * If a provided value was unsafe.
+ */
+ public static void checkSafeProperties(Map <String,List<String>>
+ extraProperties)
+ throws DirectoryException
+ {
+ // Check that X-SCHEMA-FILE doesn't contain unsafe characters
+ List<String> filenames = extraProperties.get(SCHEMA_PROPERTY_FILENAME);
+ if (filenames != null && !filenames.isEmpty()) {
+ String filename = filenames.get(0);
+ if (filename.indexOf('/') != -1 || filename.indexOf('\\') != -1)
+ {
+ Message message = ERR_ATTR_SYNTAX_ILLEGAL_X_SCHEMA_FILE.get(filename);
+ throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION,
+ message);
+ }
+ }
+ }
+
+
+
+ /**
* Retrieves the primary name for this schema definition.
*
* @return The primary name for this schema definition, or
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/schema/AttributeTypeSyntaxTest.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/schema/AttributeTypeSyntaxTest.java
index ee2e54d..748a204 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/schema/AttributeTypeSyntaxTest.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/schema/AttributeTypeSyntaxTest.java
@@ -127,7 +127,14 @@
" SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'test' " +
" X-SCHEMA-FILE '33-test.ldif' X-NAME )",
false}, // X-NAME is invalid extension (no value)
-
+ {"(1.2.8.5 NAME 'testType' DESC 'full type' EQUALITY caseIgnoreMatch " +
+ " SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'test' " +
+ " X-SCHEMA-FILE '../config.ldif' )",
+ false}, // X-SCHEMA-FILE is unsafe
+ {"(1.2.8.5 NAME 'testType' DESC 'full type' EQUALITY caseIgnoreMatch " +
+ " SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'test' " +
+ " X-SCHEMA-FILE '..\\config.ldif' )",
+ false}, // X-SCHEMA-FILE is unsafe
};
}
--
Gitblit v1.10.0