Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 5644419

Browse files
sfrostsfrost
committed
Set include_realm=1 default in parse_hba_line
With include_realm=1 being set down in parse_hba_auth_opt, if multiple options are passed on the pg_hba line, such as: host all all 0.0.0.0/0 gss include_realm=0 krb_realm=XYZ.COM We would mistakenly reset include_realm back to 1. Instead, we need to set include_realm=1 up in parse_hba_line, prior to parsing any of the additional options. Discovered by Jeff McCormick during testing. Bug introduced by 9a08841. Back-patch to 9.5
1 parent 8a1fab3 commit 5644419

File tree

1 file changed

+13
-13
lines changed

1 file changed

+13
-13
lines changed

src/backend/libpq/hba.c

+13-13
Original file line numberDiff line numberDiff line change
@@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line)
12741274
return NULL;
12751275
}
12761276

1277+
/*
1278+
* For GSS and SSPI, set the default value of include_realm to true.
1279+
* Having include_realm set to false is dangerous in multi-realm
1280+
* situations and is generally considered bad practice. We keep the
1281+
* capability around for backwards compatibility, but we might want to
1282+
* remove it at some point in the future. Users who still need to strip
1283+
* the realm off would be better served by using an appropriate regex in a
1284+
* pg_ident.conf mapping.
1285+
*/
1286+
if (parsedline->auth_method == uaGSS ||
1287+
parsedline->auth_method == uaSSPI)
1288+
parsedline->include_realm = true;
1289+
12771290
/* Parse remaining arguments */
12781291
while ((field = lnext(field)) != NULL)
12791292
{
@@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
13761389
hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
13771390
#endif
13781391

1379-
/*
1380-
* For GSS and SSPI, set the default value of include_realm to true.
1381-
* Having include_realm set to false is dangerous in multi-realm
1382-
* situations and is generally considered bad practice. We keep the
1383-
* capability around for backwards compatibility, but we might want to
1384-
* remove it at some point in the future. Users who still need to strip
1385-
* the realm off would be better served by using an appropriate regex in a
1386-
* pg_ident.conf mapping.
1387-
*/
1388-
if (hbaline->auth_method == uaGSS ||
1389-
hbaline->auth_method == uaSSPI)
1390-
hbaline->include_realm = true;
1391-
13921392
if (strcmp(name, "map") == 0)
13931393
{
13941394
if (hbaline->auth_method != uaIdent &&

0 commit comments

Comments
 (0)