From 32cd618e6c0d44e0f64409ceda8451cc4665e625 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Thu, 10 May 2012 16:18:37 +0200
Subject: LDB:ldb_tdb.c - deny multi-valued attributes manipulation with
 doublets

This refers to LDB add operations as well, we have only to be careful on
"@ATTRIBUTES" entries.

E.g.

dn: cn=testperson,cn=users,dc=...,dc=...
objectClass: person
url: www.example.com
url: www.example.com

should not work.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 lib/ldb/ldb_tdb/ldb_tdb.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'lib/ldb')

diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index cc1586dc5c..3c181509c3 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -318,7 +318,7 @@ static int ltdb_add_internal(struct ldb_module *module,
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret = LDB_SUCCESS;
-	unsigned int i;
+	unsigned int i, j;
 
 	for (i=0;i<msg->num_elements;i++) {
 		struct ldb_message_element *el = &msg->elements[i];
@@ -336,6 +336,22 @@ static int ltdb_add_internal(struct ldb_module *module,
 					       el->name, ldb_dn_get_linearized(msg->dn));
 			return LDB_ERR_CONSTRAINT_VIOLATION;
 		}
+
+		/* Do not check "@ATTRIBUTES" for duplicated values */
+		if (ldb_dn_is_special(msg->dn) &&
+		    ldb_dn_check_special(msg->dn, LTDB_ATTRIBUTES)) {
+			continue;
+		}
+
+		/* TODO: This is O(n^2) - replace with more efficient check */
+		for (j=0; j<el->num_values; j++) {
+			if (ldb_msg_find_val(el, &el->values[j]) != &el->values[j]) {
+				ldb_asprintf_errstring(ldb,
+						       "attribute '%s': value #%u on '%s' provided more than once",
+						       el->name, j, ldb_dn_get_linearized(msg->dn));
+				return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+			}
+		}
 	}
 
 	ret = ltdb_store(module, msg, TDB_INSERT);
@@ -761,6 +777,7 @@ int ltdb_modify_internal(struct ldb_module *module,
 
 				/* Check that values don't exist yet on multi-
 				   valued attributes or aren't provided twice */
+				/* TODO: This is O(n^2) - replace with more efficient check */
 				for (j = 0; j < el->num_values; j++) {
 					if (ldb_msg_find_val(el2, &el->values[j]) != NULL) {
 						if (control_permissive) {
-- 
cgit