Full_Name: Pierangelo Masarati Version: HEAD/re24 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (131.175.154.200) Submitted by: ando

As per RFC4511 we ignore unknown attributes in search requests, and we handle special attributes according to RFC 3673 and RFC 4529; however we probably should ignore and discard invalid attributes (i.e. attributes not conforming to section 2.5. of RFC4512).

A noteworthy example is that right now slapd accepts "" (the empty string). Although there is no strong motivation for discarding non conforming requests (and, as per RFC 3673 and RFC 4529, the production attributeSelector of Section 4.5.1.8. of RFC 4511 had to be extended, so this code should be updated whenever that production is modified further), I think this change would be in the spirit of OpenLDAP's slapd (i.e. liberal in accepting requests with invalid productions, but strict in not letting them proceed further).

One case where an invalid production is causing problems downstream is in accesslog, where the empty string is written as the value of a reqAttr, which is invalid per the syntax of reqAttr which is an LDAPString. As a consequence, a slapcat of such an accesslog entry cannot be reloaded.

I am fixing accesslog otherwise, but probably invalid attributeselectors should be filtered out when parsing search requests.

p.