database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-03 09:13:20 +03:00
Code Activity

Set include_realm=1 default in parse_hba_line

Browse Source 
With include_realm=1 being set down in parse_hba_auth_opt, if multiple
options are passed on the pg_hba line, such as:

host all     all    0.0.0.0/0    gss include_realm=0 krb_realm=XYZ.COM

We would mistakenly reset include_realm back to 1.  Instead, we need to
set include_realm=1 up in parse_hba_line, prior to parsing any of the
additional options.

Discovered by Jeff McCormick during testing.

Bug introduced by 9a08841.

Back-patch to 9.5
This commit is contained in:
Stephen Frost
2015-11-06 11:18:27 -05:00
parent 8a1fab36ab
commit 5644419b3d
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/backend/libpq/hba.c
View File

@@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line)
return NULL; return NULL;
} }
/*
* For GSS and SSPI, set the default value of include_realm to true.
* Having include_realm set to false is dangerous in multi-realm
* situations and is generally considered bad practice. We keep the
* capability around for backwards compatibility, but we might want to
* remove it at some point in the future. Users who still need to strip
* the realm off would be better served by using an appropriate regex in a
* pg_ident.conf mapping.
*/
if (parsedline->auth_method == uaGSS ||
parsedline->auth_method == uaSSPI)
parsedline->include_realm = true;
/* Parse remaining arguments */ /* Parse remaining arguments */
while ((field = lnext(field)) != NULL) while ((field = lnext(field)) != NULL)
{ {
@@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapscope = LDAP_SCOPE_SUBTREE; hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
#endif #endif
/*
* For GSS and SSPI, set the default value of include_realm to true.
* Having include_realm set to false is dangerous in multi-realm
* situations and is generally considered bad practice. We keep the
* capability around for backwards compatibility, but we might want to
* remove it at some point in the future. Users who still need to strip
* the realm off would be better served by using an appropriate regex in a
* pg_ident.conf mapping.
*/
if (hbaline->auth_method == uaGSS ||
hbaline->auth_method == uaSSPI)
hbaline->include_realm = true;
if (strcmp(name, "map") == 0) if (strcmp(name, "map") == 0)
{ {
if (hbaline->auth_method != uaIdent && if (hbaline->auth_method != uaIdent &&