[krbdev.mit.edu #8175] krb5_aname_to_localname() and regcomp()
"Richard E. Silverman" via RT
rt-comment at krbdev.mit.edu
Thu May 7 08:38:21 EDT 2015
If the host has regcomp(), MIT Kerberos krb5_aname_to_localname() uses it, calling it with REG_EXTENDED. This means that parentheses should be usable for grouping within the regular expression. This doesn't work, however, because parentheses delimit the regular expression portion of an auth_to_local rule:
[krb5.conf(5)]
auth_to_local
...
RULE:exp
The local name will be formulated from exp.
The format for exp is [n:$d..string](regexp)s/pattern/replacement/g ...
and the code uses the *first* right parenthesis found after the opening one to determine the end of the expression:
[localauth_rule.c:aname_do_match()]
/* Find the end of the regexp and make a copy of it. */
startp = *contextp + 1;
endp = strchr(startp, ')');
So, a rule like this:
auth_to_local = RULE:[1:$1@$0](^(steve|stephen|steven)@REALM$)s/.*/stephen/
is misinterpreted, since regcomp is called with the expression "^(steve|stephen|steven".
(Checked in MIT Kerberos 1.13.1 and a few older versions).
Thanks,
--
Richard E. Silverman
More information about the krb5-bugs
mailing list