Issue 6307 - Wrong set of entries returned for some search filters

Bug description: When the server returns an entry to a search it checks both access and matching of the filter. When evaluating a '!' (NOT) logical expression the server, in a first phase evaluates ONLY the right to access the related component (and its subcomponents). Then in a second phase verifies the matching. If the related component is a OR, in the first phase it evaluates access AND matching, this even if the call was to evaluate only access. This result in incoherent results. Fix description: Make sure that when the function vattr_test_filter_list_or is called to only check access, it does not evaluate the matching. relates: 389ds#6307 Reviewed by:
tbordaz · Aug 22, 2024 · 66d8540 · 66d8540
1 parent e70c22f
commit 66d8540
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/ldap/servers/slapd/filterentry.c b/ldap/servers/slapd/filterentry.c
@@ -948,14 +948,17 @@ slapi_vattr_filter_test_ext_internal(
         break;
 
     case LDAP_FILTER_NOT:
+        slapi_log_err(SLAPI_LOG_FILTER, "vattr_test_filter_list_NOT", "=>\n");
         rc = slapi_vattr_filter_test_ext_internal(pb, e, f->f_not, verify_access, only_check_access, access_check_done);
         if (verify_access && only_check_access) {
             /* dont play with access control return codes
              * do not negate return code */
+            slapi_log_err(SLAPI_LOG_FILTER, "vattr_test_filter_list_NOT only check access", "<= %d\n", rc);
             break;
         }
         if (rc > 0) {
             /* an error occurred or access denied, don't negate */
+            slapi_log_err(SLAPI_LOG_FILTER, "vattr_test_filter_list_NOT slapi_vattr_filter_test_ext_internal fails", "<= %d\n", rc);
             break;
         }
         if (verify_access) {
@@ -980,6 +983,7 @@ slapi_vattr_filter_test_ext_internal(
             /* filter verification only, no error */
             rc = (rc == 0) ? -1 : 0;
         }
+        slapi_log_err(SLAPI_LOG_FILTER, "vattr_test_filter_list_NOT", "<= %d\n", rc);
         break;
 
     default:
@@ -1084,6 +1088,13 @@ vattr_test_filter_list_or(
                 continue;
             }
         }
+        /* we are not evaluating if the entry matches
+         * but only that we have access to ALL components
+         * so check the next one
+         */
+        if (only_check_access) {
+            continue;
+        }
         /* now check if filter matches */
         /*
          * We can NOT skip this because we need to know if the item we matched on