[Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions
Fraser Tweedale
ftweedal at redhat.com
Tue Nov 29 09:08:48 UTC 2016
With current ACL parsing, if you have a ':' in a group name (as
occurs with FreeIPA permissions, which matter for upcoming external
principal support) you are stuffed. This commit fixes that.
It is really a band aid - the existing parsing code is poor and
should be replaced with a nice combinatorial parser... but who has
the time for that right now? ¯\_(ツ)_/¯
Note that if there is a ':' in any of the ACL descriptions/comments
(the final field) this change breaks it. We don't have any
occurrences of that in our codebase.
Thanks,
Fraser
-------------- next part --------------
From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 25 Nov 2016 18:04:22 +1000
Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions
Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
Look backwards from end of string for the final ':', so that the ACL
parses correctly.
Part of: https://fedorahosted.org/pki/ticket/1359
---
base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
acl = new ACL(resource, rights, resACLs);
+ // search *backwards* for final instance of ':', to handle case
+ // where acl expressions contain colon, e.g. in a group name.
String stx = st.substring(idx2 + 1);
- int idx3 = stx.indexOf(":");
+ int idx3 = stx.lastIndexOf(":");
String aclStr = stx.substring(0, idx3);
// getting list of acl entries
--
2.7.4
More information about the Pki-devel
mailing list