ClusterLabs · nrwahl2 · Dec 26, 2025 · Dec 26, 2025 · Dec 26, 2025 · Dec 26, 2025
diff --git a/include/crm/common/xml_element_internal.h b/include/crm/common/xml_element_internal.h
@@ -37,6 +37,12 @@ extern "C" {
 
 const char *pcmk__xe_add_last_written(xmlNode *xe);
 
+bool pcmk__xe_foreach_attr(xmlNode *xml, bool (*fn)(xmlAttr *, void *),
+                           void *user_data);
+bool pcmk__xe_foreach_const_attr(const xmlNode *xml,
+                                 bool (*fn)(const xmlAttr *, void *),
+                                 void *user_data);
+
 xmlNode *pcmk__xe_first_child(const xmlNode *parent, const char *node_name,
                               const char *attr_n, const char *attr_v);
 

diff --git a/include/crm/pengine/internal.h b/include/crm/pengine/internal.h
@@ -246,7 +246,7 @@ pe_base_name_eq(const pcmk_resource_t *rsc, const char *id)
         // Number of characters in rsc->id before any clone suffix
         size_t base_len = pe_base_name_end(rsc->id) - rsc->id + 1;
 
-        return (strlen(id) == base_len) && !strncmp(id, rsc->id, base_len);
+        return (strlen(id) == base_len) && g_str_has_prefix(rsc->id, id);
     }
     return false;
 }

diff --git a/lib/common/acl.c b/lib/common/acl.c
@@ -764,30 +764,28 @@ is_mode_allowed(uint32_t flags, enum pcmk__xml_flags mode)
         return false;
     }
 
-    if (pcmk__is_set(flags, mode)) {
-        // The access we requested is explicitly allowed
-        return true;
-    }
-
-    if ((mode == pcmk__xf_acl_read)
-        && pcmk__is_set(flags, pcmk__xf_acl_write)) {
+    switch (mode) {
+        case pcmk__xf_acl_read:
+            // Write access provides read access
+            return pcmk__any_flags_set(flags,
+                                       pcmk__xf_acl_read|pcmk__xf_acl_write);
 
-        // Write access provides read access
-        return true;
-    }
+        case pcmk__xf_acl_write:
+            return pcmk__is_set(flags, pcmk__xf_acl_write);
 
-    if ((mode == pcmk__xf_acl_create)
-        && pcmk__any_flags_set(flags, pcmk__xf_acl_write|pcmk__xf_created)) {
+        case pcmk__xf_acl_create:
+            /* Write access provides create access.
+             *
+             * @TODO Why does the \c pcmk__xf_created flag provide create
+             * access? This was introduced by commit e2ed85fe.
+             */
+            return pcmk__any_flags_set(flags,
+                                       pcmk__xf_acl_write|pcmk__xf_created);
 
-        /* Write access provides create access.
-         *
-         * @TODO Why does the \c pcmk__xf_created flag provide create access?
-         * This was introduced by commit e2ed85fe.
-         */
-        return true;
+        default:
+            // Invalid mode
+            return false;
     }
-
-    return false;
 }
 
 /*!
@@ -951,28 +949,29 @@ xml_acl_filtered_copy(const char *user, xmlNode *acl_source, xmlNode *xml,
  *
  * \param[in] xml  XML element to check
  *
- * \return true if XML element is implicitly allowed, false otherwise
+ * \return \c true if XML element is implicitly allowed, or \c false otherwise
  */
 static bool
-implicitly_allowed(const xmlNode *xml)
+implicitly_allowed(xmlNode *xml)
 {
-    GString *path = NULL;
+    for (xmlAttr *attr = pcmk__xe_first_attr(xml); attr != NULL;
+         attr = attr->next) {
 
-    for (xmlAttr *prop = xml->properties; prop != NULL; prop = prop->next) {
-        if (strcmp((const char *) prop->name, PCMK_XA_ID) != 0) {
+        if (attr_is_not_id(attr, NULL)) {
             return false;
         }
     }
 
-    path = pcmk__element_xpath(xml);
-    pcmk__assert(path != NULL);
-
-    if (strstr((const char *) path->str, "/" PCMK_XE_ACLS "/") != NULL) {
-        g_string_free(path, TRUE);
-        return false;
+    /* Creation is not implicitly allowed for a descendant of PCMK_XE_ACLS, but
+     * it may be for PCMK_XE_ACLS itself. Start checking at xml->parent and walk
+     * up the tree.
+     */
+    for (xml = xml->parent; xml != NULL; xml = xml->parent) {
+        if (pcmk__xe_is(xml, PCMK_XE_ACLS)) {
+            return false;
+        }
     }
 
-    g_string_free(path, TRUE);
     return true;
 }
 

diff --git a/lib/common/actions.c b/lib/common/actions.c
@@ -266,7 +266,8 @@ match_before(const char *key, size_t position, const char **matches)
             const size_t possible = position - match_len - 1;
 
             if ((key[possible] == '_')
-                && (strncmp(key + possible + 1, matches[i], match_len) == 0)) {
+                && g_str_has_prefix(key + possible + 1, matches[i])) {
+
                 return possible;
             }
         }

diff --git a/lib/common/digest.c b/lib/common/digest.c
@@ -300,10 +300,10 @@ pcmk__xa_filterable(const char *name)
 static bool
 should_filter_for_digest(xmlAttrPtr a, void *user_data)
 {
-    if (strncmp((const char *) a->name, CRM_META "_",
-                sizeof(CRM_META " ") - 1) == 0) {
+    if (g_str_has_prefix((const char *) a->name, CRM_META "_")) {
         return true;
     }
+
     return pcmk__str_any_of((const char *) a->name,
                             PCMK_XA_ID,
                             PCMK_XA_CRM_FEATURE_SET,

diff --git a/lib/common/ipc_client.c b/lib/common/ipc_client.c
@@ -1747,8 +1747,9 @@ pcmk__ipc_is_authentic_process_active(const char *name, uid_t refuid,
     }
 
     rc = pcmk_rc_ok;
-    if ((found_uid != refuid || found_gid != refgid)
-            && strncmp(last_asked_name, name, sizeof(last_asked_name))) {
+    if (((found_uid != refuid) || (found_gid != refgid))
+        && !pcmk__str_eq(name, last_asked_name, pcmk__str_none)) {
+
         if ((found_uid == 0) && (refuid != 0)) {
             pcmk__warn("Daemon (IPC %s) runs as root, whereas the expected "
                        "credentials are %lld:%lld, hazard of violating the "