2
0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 06:15:37 +00:00

Active Directory apparently requires that tenths of a second be

present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently.  Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.
This commit is contained in:
Todd C. Miller
2012-07-30 11:09:11 -04:00
parent a9623c29c2
commit f205243bd7

View File

@@ -132,14 +132,12 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
#define SUDO_LDAP_SSL 1
#define SUDO_LDAP_STARTTLS 2
/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND
wrapped around the user filter and the time filter when timed entries
/* The TIMEFILTER_LENGTH is the length of the filter when timed entries
are used. The length is computed as follows:
85 for the filter
+ 2 * 13 for the now timestamp
+ 3 for the global AND
81 for the filter itself
+ 2 * 17 for the now timestamp
*/
#define TIMEFILTER_LENGTH 114
#define TIMEFILTER_LENGTH 115
/*
* The ldap_search structure implements a linked list of ldap and
@@ -984,7 +982,7 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
{
struct tm *tp;
time_t now;
char timebuffer[16];
char timebuffer[sizeof("20120727121554.0Z")];
int bytes = 0;
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP)
@@ -996,8 +994,8 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
}
/* Format the timestamp according to the RFC. */
if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) {
warning(_("unable to format timestamp"));
if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) {
warningx(_("unable to format timestamp"));
goto done;
}
@@ -1129,15 +1127,19 @@ static char *
sudo_ldap_build_pass1(struct passwd *pw)
{
struct group *grp;
char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN + 1];
char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1];
struct group_list *grlist;
size_t sz = 0;
int i;
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP)
/* Start with LDAP search filter length + 3 */
/* If there is a filter, allocate space for the global AND. */
if (ldap_conf.timed || ldap_conf.search_filter)
sz += 3;
/* Add LDAP search filter if present. */
if (ldap_conf.search_filter)
sz += strlen(ldap_conf.search_filter) + 3;
sz += strlen(ldap_conf.search_filter);
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
sz += 29 + sudo_ldap_value_len(pw->pw_name);
@@ -1241,7 +1243,7 @@ sudo_ldap_build_pass1(struct passwd *pw)
static char *
sudo_ldap_build_pass2(void)
{
char *filt, timebuffer[TIMEFILTER_LENGTH];
char *filt, timebuffer[TIMEFILTER_LENGTH + 1];
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP)
if (ldap_conf.timed)