[krbdev.mit.edu #5499] Re: slightly expanded wildcard support for kadm5.acl
Mike Dopheide via RT
rt-comment at krbdev.mit.edu
Fri Mar 30 19:03:06 EDT 2007
diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 16:29:24.000000000 -0500
@@ -543,7 +543,8 @@
/*
* kadm5int_acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,41 @@
wildstate_t *ws;
{
krb5_boolean retval;
+ int cmplen=0;
+ int e2offset;
+ int e1offset;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
+
+ if(strchr(e1->data, '*')){
+ if(e1->length == 1){
+ /* whole component matches wildcard */
+ retval = 1;
+
+ }else if(e1->data[0] == '*'){
+ /* wildcard at beginning of component */
+ cmplen = e1->length - 1;
+ e2offset = e2->length - cmplen;
+ e1offset = 1;
+
+ }else if(e1->data[e1->length-1] == '*'){
+ /* wildcard at end of component */
+ cmplen = e1->length - 1;
+ if(e2->length < cmplen){
+ e2offset = -1;
+ }else{
+ e2offset=0;
+ e1offset=0;
+ }
+ }
+
+ /* Compare beginning or end of e2->data depending on offsets above */
+ if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
+ retval = 1;
+ }
+
if (ws && !targetflag) {
if (ws->nwild >= 9) {
DPRINT(DEBUG_ACL, acl_debug_level,
More information about the krb5-bugs
mailing list