Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 5644419

Browse filesBrowse files
sfrostsfrost
committed
Set include_realm=1 default in parse_hba_line
With include_realm=1 being set down in parse_hba_auth_opt, if multiple options are passed on the pg_hba line, such as: host all all 0.0.0.0/0 gss include_realm=0 krb_realm=XYZ.COM We would mistakenly reset include_realm back to 1. Instead, we need to set include_realm=1 up in parse_hba_line, prior to parsing any of the additional options. Discovered by Jeff McCormick during testing. Bug introduced by 9a08841. Back-patch to 9.5
1 parent 8a1fab3 commit 5644419
Copy full SHA for 5644419

File tree

Expand file treeCollapse file tree

1 file changed

+13
-13
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+13
-13
lines changed

‎src/backend/libpq/hba.c

Copy file name to clipboardExpand all lines: src/backend/libpq/hba.c
+13-13Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line)
12741274
return NULL;
12751275
}
12761276

1277+
/*
1278+
* For GSS and SSPI, set the default value of include_realm to true.
1279+
* Having include_realm set to false is dangerous in multi-realm
1280+
* situations and is generally considered bad practice. We keep the
1281+
* capability around for backwards compatibility, but we might want to
1282+
* remove it at some point in the future. Users who still need to strip
1283+
* the realm off would be better served by using an appropriate regex in a
1284+
* pg_ident.conf mapping.
1285+
*/
1286+
if (parsedline->auth_method == uaGSS ||
1287+
parsedline->auth_method == uaSSPI)
1288+
parsedline->include_realm = true;
1289+
12771290
/* Parse remaining arguments */
12781291
while ((field = lnext(field)) != NULL)
12791292
{
@@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
13761389
hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
13771390
#endif
13781391

1379-
/*
1380-
* For GSS and SSPI, set the default value of include_realm to true.
1381-
* Having include_realm set to false is dangerous in multi-realm
1382-
* situations and is generally considered bad practice. We keep the
1383-
* capability around for backwards compatibility, but we might want to
1384-
* remove it at some point in the future. Users who still need to strip
1385-
* the realm off would be better served by using an appropriate regex in a
1386-
* pg_ident.conf mapping.
1387-
*/
1388-
if (hbaline->auth_method == uaGSS ||
1389-
hbaline->auth_method == uaSSPI)
1390-
hbaline->include_realm = true;
1391-
13921392
if (strcmp(name, "map") == 0)
13931393
{
13941394
if (hbaline->auth_method != uaIdent &&

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.