Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5644419

Browse files
committed
Set include_realm=1 default in parse_hba_line
With include_realm=1 being set down in parse_hba_auth_opt, if multipleoptions are passed on the pg_hba line, such as:host all all 0.0.0.0/0 gss include_realm=0 krb_realm=XYZ.COMWe would mistakenly reset include_realm back to 1. Instead, we need toset include_realm=1 up in parse_hba_line, prior to parsing any of theadditional options.Discovered by Jeff McCormick during testing.Bug introduced by9a08841.Back-patch to 9.5
1 parent8a1fab3 commit5644419

File tree

1 file changed

+13
-13
lines changed

1 file changed

+13
-13
lines changed

‎src/backend/libpq/hba.c

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line)
12741274
returnNULL;
12751275
}
12761276

1277+
/*
1278+
* For GSS and SSPI, set the default value of include_realm to true.
1279+
* Having include_realm set to false is dangerous in multi-realm
1280+
* situations and is generally considered bad practice. We keep the
1281+
* capability around for backwards compatibility, but we might want to
1282+
* remove it at some point in the future. Users who still need to strip
1283+
* the realm off would be better served by using an appropriate regex in a
1284+
* pg_ident.conf mapping.
1285+
*/
1286+
if (parsedline->auth_method==uaGSS||
1287+
parsedline->auth_method==uaSSPI)
1288+
parsedline->include_realm= true;
1289+
12771290
/* Parse remaining arguments */
12781291
while ((field=lnext(field))!=NULL)
12791292
{
@@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
13761389
hbaline->ldapscope=LDAP_SCOPE_SUBTREE;
13771390
#endif
13781391

1379-
/*
1380-
* For GSS and SSPI, set the default value of include_realm to true.
1381-
* Having include_realm set to false is dangerous in multi-realm
1382-
* situations and is generally considered bad practice. We keep the
1383-
* capability around for backwards compatibility, but we might want to
1384-
* remove it at some point in the future. Users who still need to strip
1385-
* the realm off would be better served by using an appropriate regex in a
1386-
* pg_ident.conf mapping.
1387-
*/
1388-
if (hbaline->auth_method==uaGSS||
1389-
hbaline->auth_method==uaSSPI)
1390-
hbaline->include_realm= true;
1391-
13921392
if (strcmp(name,"map")==0)
13931393
{
13941394
if (hbaline->auth_method!=uaIdent&&

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp