From 1f48583b8f75e24a153e0a6652a070f6e95a479a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Tue, 8 Oct 2019 10:22:49 +0200
Subject: [PATCH] :sparkles: feat(acl) Add a hard limit of 100 targets matched
 for an ACL target filter

This avoids performanance problems and RAM exhaustion.

issue #5531
---
 include/class_userinfo.inc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc
index e4291b526..968185b6d 100644
--- a/include/class_userinfo.inc
+++ b/include/class_userinfo.inc
@@ -137,6 +137,7 @@ class userinfo
     $this->reset_acl_cache();
     $ldap = $config->get_ldap_link();
     $ldap->cd($config->current['BASE']);
+    $targetFilterLimit  = 100;
 
     /* Get member groups... */
     $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
@@ -229,12 +230,24 @@ class userinfo
 
         if (!empty($ACLRule['targetfilter'])) {
           $ldap->cd($dn);
+          $ldap->set_size_limit($targetFilterLimit);
           $targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
           $ldap->search($targetFilter, ['dn']);
+          if ($ldap->hitSizeLimit()) {
+            msg_dialog::display(
+              _('Error'),
+              sprintf(
+                _('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
+                $targetFilterLimit
+              ),
+              ERROR_DIALOG
+            );
+          }
           $targetDns = [];
           while ($targetAttrs = $ldap->fetch()) {
             $targetDns[] = $targetAttrs['dn'];
           }
+          $ldap->set_size_limit(0);
         } else {
           $targetDns = [$dn];
         }
-- 
GitLab