From 4c1f1fe39c6e75a377f46d2f9a60749244c1247a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 8 Aug 2023 11:18:46 +1200
Subject: [PATCH] CVE-2023-4154 dsdb/tests: Speed up DirSync test by only
 checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/tests/python/confidential_attr.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py
index ee7f554a008..678a5a82948 100755
--- a/source4/dsdb/tests/python/confidential_attr.py
+++ b/source4/dsdb/tests/python/confidential_attr.py
@@ -742,7 +742,13 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon):
         #   want to weed out results from any previous test runs
         search = "(&{0}{1})".format(expr, self.extra_filter)
 
-        for attr in self.attr_filters:
+        # If we expect to return multiple results, only check the first
+        if expected_num > 0:
+            attr_filters = [self.attr_filters[0]]
+        else:
+            attr_filters = self.attr_filters
+
+        for attr in attr_filters:
             res = samdb.search(base_dn, expression=search, scope=SCOPE_SUBTREE,
                                attrs=attr, controls=self.dirsync)
             self.assertEqual(len(res), expected_num,
-- 
2.34.1