|
|
677019 |
From cbdae9a9dc2a6af5551d26b32c8d473e1e0ce773 Mon Sep 17 00:00:00 2001
|
|
|
10fa70 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
10fa70 |
Date: Mon, 30 Mar 2020 15:26:02 -0400
|
|
|
10fa70 |
Subject: [PATCH] Correctly import "service@" GSS host-based name
|
|
|
10fa70 |
|
|
|
10fa70 |
The intended way to specify only a service in a GSS host-based name is
|
|
|
10fa70 |
to omit the "@" separator. Some applications include the separator
|
|
|
10fa70 |
but no hostname, and this happened to yield wildcard hostname behavior
|
|
|
10fa70 |
prior to commit 996353767fe8afa7f67a3b5b465e4d70e18bad7c when
|
|
|
10fa70 |
shortname qualification was added. To restore this behavior, check in
|
|
|
10fa70 |
parse_hostbased() that at least one character is present after the "@"
|
|
|
10fa70 |
separator before copying the hostname. Add a test case to t_gssapi.py.
|
|
|
10fa70 |
|
|
|
10fa70 |
ticket: 8892
|
|
|
10fa70 |
tags: pullup
|
|
|
10fa70 |
target_version: 1.18-next
|
|
|
10fa70 |
|
|
|
10fa70 |
(cherry picked from commit a2f047af0400ba8080dc26033fae2b17534501e2)
|
|
|
10fa70 |
(cherry picked from commit dd4364d76925ce1fe21c2ab995554d6af3a2ea12)
|
|
|
10fa70 |
---
|
|
|
10fa70 |
src/lib/gssapi/krb5/import_name.c | 4 ++--
|
|
|
10fa70 |
src/tests/gssapi/t_gssapi.py | 3 +++
|
|
|
10fa70 |
2 files changed, 5 insertions(+), 2 deletions(-)
|
|
|
10fa70 |
|
|
|
10fa70 |
diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
|
|
|
10fa70 |
index da2ab1423..21023dd76 100644
|
|
|
10fa70 |
--- a/src/lib/gssapi/krb5/import_name.c
|
|
|
10fa70 |
+++ b/src/lib/gssapi/krb5/import_name.c
|
|
|
10fa70 |
@@ -102,8 +102,8 @@ parse_hostbased(const char *str, size_t len,
|
|
|
10fa70 |
memcpy(service, str, servicelen);
|
|
|
10fa70 |
service[servicelen] = '\0';
|
|
|
10fa70 |
|
|
|
10fa70 |
- /* If present, copy the hostname. */
|
|
|
10fa70 |
- if (at != NULL) {
|
|
|
10fa70 |
+ /* Copy the hostname if present (at least one character after '@'). */
|
|
|
10fa70 |
+ if (len - servicelen > 1) {
|
|
|
10fa70 |
hostlen = len - servicelen - 1;
|
|
|
10fa70 |
host = malloc(hostlen + 1);
|
|
|
10fa70 |
if (host == NULL) {
|
|
|
10fa70 |
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
|
|
|
10fa70 |
index 54d5cf549..ecf982604 100755
|
|
|
10fa70 |
--- a/src/tests/gssapi/t_gssapi.py
|
|
|
10fa70 |
+++ b/src/tests/gssapi/t_gssapi.py
|
|
|
10fa70 |
@@ -47,6 +47,9 @@ realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
|
|
|
10fa70 |
expected_msg='service2/calvin')
|
|
|
10fa70 |
realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
|
|
|
10fa70 |
expected_msg=' found in keytab but does not match server principal')
|
|
|
10fa70 |
+# Regression test for #8892 (trailing @ in name).
|
|
|
10fa70 |
+realm.run(['./t_accname', 'p:service1/andrew', 'h:service1@'],
|
|
|
10fa70 |
+ expected_msg='service1/abraham')
|
|
|
10fa70 |
|
|
|
10fa70 |
# Test with acceptor name containing service and host. Use the
|
|
|
10fa70 |
# client's un-canonicalized hostname as acceptor input to mirror what
|