diff options
| author | Stephen Frost <sfrost@snowman.net> | 2015-11-06 11:18:33 -0500 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2015-11-06 11:18:33 -0500 |
| commit | 695012a0d585844130bf3d82ad0b4ebe0b7bf581 (patch) | |
| tree | 5a331bf43f7d6ef7ab1396f9cf1c2486292c89bd /src/backend | |
| parent | 4d867458fce3743adc95ad6513c9d2dea87cd7f4 (diff) | |
| download | postgresql-695012a0d585844130bf3d82ad0b4ebe0b7bf581.tar.gz postgresql-695012a0d585844130bf3d82ad0b4ebe0b7bf581.zip | |
Set include_realm=1 default in parse_hba_line
With include_realm=1 being set down in parse_hba_auth_opt, if multiple
options are passed on the pg_hba line, such as:
host all all 0.0.0.0/0 gss include_realm=0 krb_realm=XYZ.COM
We would mistakenly reset include_realm back to 1. Instead, we need to
set include_realm=1 up in parse_hba_line, prior to parsing any of the
additional options.
Discovered by Jeff McCormick during testing.
Bug introduced by 9a08841.
Back-patch to 9.5
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/libpq/hba.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 7a935f34b58..97afce3e57a 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line) return NULL; } + /* + * For GSS and SSPI, set the default value of include_realm to true. + * Having include_realm set to false is dangerous in multi-realm + * situations and is generally considered bad practice. We keep the + * capability around for backwards compatibility, but we might want to + * remove it at some point in the future. Users who still need to strip + * the realm off would be better served by using an appropriate regex in a + * pg_ident.conf mapping. + */ + if (parsedline->auth_method == uaGSS || + parsedline->auth_method == uaSSPI) + parsedline->include_realm = true; + /* Parse remaining arguments */ while ((field = lnext(field)) != NULL) { @@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) hbaline->ldapscope = LDAP_SCOPE_SUBTREE; #endif - /* - * For GSS and SSPI, set the default value of include_realm to true. - * Having include_realm set to false is dangerous in multi-realm - * situations and is generally considered bad practice. We keep the - * capability around for backwards compatibility, but we might want to - * remove it at some point in the future. Users who still need to strip - * the realm off would be better served by using an appropriate regex in a - * pg_ident.conf mapping. - */ - if (hbaline->auth_method == uaGSS || - hbaline->auth_method == uaSSPI) - hbaline->include_realm = true; - if (strcmp(name, "map") == 0) { if (hbaline->auth_method != uaIdent && |