X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f3ebb786e451da973560f1c9d8cdb151d25108b5..a85c067ba6c6940512cf57ec213277a370d87e70:/src/src/lookups/ldap.c diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 5b0cffaf8..17c431e5c 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -2,8 +2,10 @@ * Exim - an Internet mail transport agent * *************************************************/ +/* Copyright (c) The Exim Maintainers 2020 - 2022 */ /* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-only */ /* Many thanks to Stuart Lynne for contributing the original code for this driver. Further contributions from Michael Haardt, Brian Candler, Barry @@ -495,7 +497,7 @@ if (!lcp) /* Now add this connection to the chain of cached connections */ - lcp = store_get(sizeof(LDAP_CONNECTION), FALSE); + lcp = store_get(sizeof(LDAP_CONNECTION), GET_UNTAINTED); lcp->host = host ? string_copy(host) : NULL; lcp->bound = FALSE; lcp->user = NULL; @@ -1090,9 +1092,7 @@ const uschar *p; uschar *user = NULL; uschar *password = NULL; uschar *local_servers = NULL; -uschar *server; const uschar *list; -uschar buffer[512]; while (isspace(*url)) url++; @@ -1104,7 +1104,7 @@ NAME has the value "ldap". */ while (strncmpic(url, US"ldap", 4) != 0) { const uschar *name = url; - while (*url != 0 && *url != '=') url++; + while (*url && *url != '=') url++; if (*url == '=') { int namelen; @@ -1188,7 +1188,7 @@ result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because that is needed when the DN is used as a base DN in a query. Sigh. This is all far too complicated. */ -if (user != NULL) +if (user) { uschar *t = user; for (uschar * s = user; *s != 0; s++) @@ -1211,7 +1211,7 @@ if (user != NULL) DEBUG(D_lookup) debug_printf_indent("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d " "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit, - tcplimit, dereference, (referrals == LDAP_OPT_ON)? "on" : "off"); + tcplimit, dereference, referrals == LDAP_OPT_ON ? "on" : "off"); /* If the request is just to check authentication, some credentials must be given. The password must not be empty because LDAP binds with an empty @@ -1219,12 +1219,12 @@ password are considered anonymous, and will succeed on most installations. */ if (search_type == SEARCH_LDAP_AUTH) { - if (user == NULL || password == NULL) + if (!user || !password) { *errmsg = US"ldapauth lookups must specify the username and password"; return DEFER; } - if (password[0] == 0) + if (!*password) { DEBUG(D_lookup) debug_printf_indent("Empty password: ldapauth returns FAIL\n"); return FAIL; @@ -1245,22 +1245,20 @@ if (Ustrncmp(p, "://", 3) != 0) /* No default servers, or URL contains a server name: just one attempt */ -if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/') - { +if (!eldap_default_servers && !local_servers || p[3] != '/') return perform_ldap_search(url, NULL, 0, search_type, res, errmsg, &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference, referrals); - } -/* Loop through the default servers until OK or FAIL. Use local_servers list - * if defined in the lookup, otherwise use the global default list */ -list = (local_servers == NULL) ? eldap_default_servers : local_servers; -while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL) +/* Loop through the servers until OK or FAIL. Use local_servers list +if defined in the lookup, otherwise use the global default list */ + +list = local_servers ? local_servers : eldap_default_servers; +for (uschar * server; server = string_nextinlist(&list, &sep, NULL, 0); ) { - int rc; - int port = 0; + int rc, port = 0; uschar *colon = Ustrchr(server, ':'); - if (colon != NULL) + if (colon) { *colon = 0; port = Uatoi(colon+1); @@ -1285,38 +1283,33 @@ are handled by a common function, with a flag to differentiate between them. The handle and filename arguments are not used. */ static int -eldap_find(void *handle, uschar *filename, const uschar *ldap_url, int length, - uschar **result, uschar **errmsg, uint *do_cache) +eldap_find(void * handle, const uschar * filename, const uschar * ldap_url, + int length, uschar ** result, uschar ** errmsg, uint * do_cache, + const uschar * opts) { -/* Keep picky compilers happy */ -do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg)); } static int -eldapm_find(void *handle, uschar *filename, const uschar *ldap_url, int length, - uschar **result, uschar **errmsg, uint *do_cache) +eldapm_find(void * handle, const uschar * filename, const uschar * ldap_url, + int length, uschar ** result, uschar ** errmsg, uint * do_cache, + const uschar * opts) { -/* Keep picky compilers happy */ -do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg)); } static int -eldapdn_find(void *handle, uschar *filename, const uschar *ldap_url, int length, - uschar **result, uschar **errmsg, uint *do_cache) +eldapdn_find(void * handle, const uschar * filename, const uschar * ldap_url, + int length, uschar ** result, uschar ** errmsg, uint * do_cache, + const uschar * opts) { -/* Keep picky compilers happy */ -do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg)); } int -eldapauth_find(void *handle, uschar *filename, const uschar *ldap_url, int length, - uschar **result, uschar **errmsg, uint *do_cache) +eldapauth_find(void * handle, const uschar * filename, const uschar * ldap_url, + int length, uschar ** result, uschar ** errmsg, uint * do_cache) { -/* Keep picky compilers happy */ -do_cache = do_cache; return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg)); } @@ -1329,7 +1322,7 @@ return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg)); /* See local README for interface description. */ static void * -eldap_open(uschar *filename, uschar **errmsg) +eldap_open(const uschar * filename, uschar ** errmsg) { return (void *)(1); /* Just return something non-null */ } @@ -1346,16 +1339,13 @@ Make sure that eldap_dn does not refer to reclaimed or worse, freed store */ static void eldap_tidy(void) { -LDAP_CONNECTION *lcp = NULL; eldap_dn = NULL; -while ((lcp = ldap_connections) != NULL) +for (LDAP_CONNECTION *lcp; lcp = ldap_connections; ldap_connections = lcp->next) { - DEBUG(D_lookup) debug_printf_indent("unbind LDAP connection to %s:%d\n", lcp->host, - lcp->port); - if(lcp->bound == TRUE) - ldap_unbind(lcp->ld); - ldap_connections = lcp->next; + DEBUG(D_lookup) debug_printf_indent("unbind LDAP connection to %s:%d\n", + lcp->host, lcp->port); + if(lcp->bound) ldap_unbind(lcp->ld); } } @@ -1416,6 +1406,7 @@ Arguments: s the string to be quoted opt additional option text or NULL if none only "dn" is recognized + idx lookup type index Returns: the processed string or NULL for a bad option */ @@ -1441,18 +1432,15 @@ quote_ldap_dn, respectively. */ static uschar * -eldap_quote(uschar *s, uschar *opt) +eldap_quote(uschar * s, uschar * opt, unsigned idx) { -register int c; -int count = 0; -int len = 0; +int c, count = 0, len = 0; BOOL dn = FALSE; -uschar *t = s; -uschar *quoted; +uschar * t = s, * quoted; /* Test for a DN quotation. */ -if (opt != NULL) +if (opt) { if (Ustrcmp(opt, "dn") != 0) return NULL; /* No others recognized */ dn = TRUE; @@ -1465,24 +1453,25 @@ where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each possibly escaped character. The really fast way would be just to test for non-alphanumerics, but it is probably better to spot a few others that are never escaped, because if there are no specials at all, we can avoid copying -the string. */ +the string. +XXX No longer true; we always copy, to support quoted-enforcement */ -while ((c = *t++) != 0) +while ((c = *t++)) { len++; if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5; } -if (count == 0) return s; +/*if (count == 0) return s;*/ /* Get sufficient store to hold the quoted string */ -t = quoted = store_get(len + count + 1, is_tainted(s)); +t = quoted = store_get_quoted(len + count + 1, s, idx); /* Handle plain quote_ldap */ if (!dn) { - while ((c = *s++) != 0) + while ((c = *s++)) { if (!isalnum(c)) { @@ -1507,7 +1496,7 @@ if (!dn) else { - uschar *ss = s + len; + uschar * ss = s + len; /* Find the last char before any trailing spaces */ @@ -1569,49 +1558,50 @@ return quoted; #include "../version.h" -void -ldap_version_report(FILE *f) +gstring * +ldap_version_report(gstring * g) { #ifdef DYNLOOKUP -fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR); +g = string_fmt_append(g, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR); #endif +return g; } static lookup_info ldap_lookup_info = { - US"ldap", /* lookup name */ - lookup_querystyle, /* query-style lookup */ - eldap_open, /* open function */ - NULL, /* check function */ - eldap_find, /* find function */ - NULL, /* no close function */ - eldap_tidy, /* tidy function */ - eldap_quote, /* quoting function */ - ldap_version_report /* version reporting */ + .name = US"ldap", /* lookup name */ + .type = lookup_querystyle, /* query-style lookup */ + .open = eldap_open, /* open function */ + .check = NULL, /* check function */ + .find = eldap_find, /* find function */ + .close = NULL, /* no close function */ + .tidy = eldap_tidy, /* tidy function */ + .quote = eldap_quote, /* quoting function */ + .version_report = ldap_version_report /* version reporting */ }; static lookup_info ldapdn_lookup_info = { - US"ldapdn", /* lookup name */ - lookup_querystyle, /* query-style lookup */ - eldap_open, /* sic */ /* open function */ - NULL, /* check function */ - eldapdn_find, /* find function */ - NULL, /* no close function */ - eldap_tidy, /* sic */ /* tidy function */ - eldap_quote, /* sic */ /* quoting function */ - NULL /* no version reporting (redundant) */ + .name = US"ldapdn", /* lookup name */ + .type = lookup_querystyle, /* query-style lookup */ + .open = eldap_open, /* sic */ /* open function */ + .check = NULL, /* check function */ + .find = eldapdn_find, /* find function */ + .close = NULL, /* no close function */ + .tidy = eldap_tidy, /* sic */ /* tidy function */ + .quote = eldap_quote, /* sic */ /* quoting function */ + .version_report = NULL /* no version reporting (redundant) */ }; static lookup_info ldapm_lookup_info = { - US"ldapm", /* lookup name */ - lookup_querystyle, /* query-style lookup */ - eldap_open, /* sic */ /* open function */ - NULL, /* check function */ - eldapm_find, /* find function */ - NULL, /* no close function */ - eldap_tidy, /* sic */ /* tidy function */ - eldap_quote, /* sic */ /* quoting function */ - NULL /* no version reporting (redundant) */ + .name = US"ldapm", /* lookup name */ + .type = lookup_querystyle, /* query-style lookup */ + .open = eldap_open, /* sic */ /* open function */ + .check = NULL, /* check function */ + .find = eldapm_find, /* find function */ + .close = NULL, /* no close function */ + .tidy = eldap_tidy, /* sic */ /* tidy function */ + .quote = eldap_quote, /* sic */ /* quoting function */ + .version_report = NULL /* no version reporting (redundant) */ }; #ifdef DYNLOOKUP