Full_Name: John Morrissey Version: RE24 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (66.133.190.110)
libldap's ldap_url_parselist_int() splits URLs on spaces (" ") and commas (",") when parsing them. Commas in LDAP URLs do not need to be percent-encoded (in fact, section 4 of RFC 4516 has a number of examples with non-encoded commas).
This causes failure in situations like passing a full URL to ldap_initialize():
ldap_initialize("ldap://localhost/dc=example,dc=com");
Breakpoint 1, ldap_url_parselist_int (ludlist=0x7fff99b56470, url=0x400d10 "ldap://localhost:390/dc=example,dc=com", sep=0x0, flags=3) at url.c:1284 [...] 1293 urls = ldap_str2charray( url, sep ); (gdb) 1294 if (urls == NULL) (gdb) print urls[0] $1 = 0xb69280 "ldap://localhost:390/dc=example" (gdb) print urls[1] $2 = 0xb691b0 "dc=com"
ldap_url_parselist_int calls ldap_url_parse_ext() on urls[1], which returns LDAP_URL_ERR_BADSCHEME. This makes its way back to ldap_initialize()'s caller as LDAP_PARAM_ERROR.
The client tools accept comma-separated lists of URLs passed to -H. It seems better to modify ldap_url_parselist{,_int}() to split on spaces and use ldap_url_parselist_ext() to override this behavior where necessary for backwards compatibility (such as in client tools).
Perhaps this is a documentation bug. In that case, ldap_open(3) should mention this behavior, especially since it conflicts with RFC 4516.
From RFC 4516:
-- 2.1. Percent-Encoding
A generated LDAP URL MUST consist only of the restricted set of characters included in one of the following three productions defined in [RFC3986]:
<reserved> <unreserved> <pct-encoded>
Implementations SHOULD accept other valid UTF-8 strings [RFC3629] as input. An octet MUST be encoded using the percent-encoding mechanism described in section 2.1 of [RFC3986] in any of these situations:
The octet is not in the reserved set defined in section 2.2 of [RFC3986] or in the unreserved set defined in section 2.3 of [RFC3986].
It is the single Reserved character '?' and occurs inside a <dn>, <filter>, or other element of an LDAP URL.
It is a comma character ',' that occurs inside an <exvalue>.
Note that before the percent-encoding mechanism is applied, the extensions component of the LDAP URL may contain one or more null (zero) bytes. No other component may. --
And from RFC 2986: -- 2.2. Reserved Characters [...] reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" --