STABLE12-rxkad5-dont-allow-dot-in-aname-20021114

otherwise we need to deal with the fact that we're using . as a separator

(cherry picked from commit 21e056922d695c3fb49b48afc6e68391c764b16b)

diff --git a/src/rxkad/ticket5.c b/src/rxkad/ticket5.c
index f9b52291eac87f8eda118c0963c91fedd9e8936b..93de592d8fa4771a014bdb49b09497170f5ef764 100644 (file)
--- a/src/rxkad/ticket5.c
+++ b/src/rxkad/ticket5.c
@@ -182,6 +182,14 @@ int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
        goto bad_ticket;
     }
     
+    /* 
+     * If the first part of the name_string contains a dot, punt since
+     * then we can't see the diffrence between the kerberos 5
+     * principals foo.root and foo/root later in the fileserver.
+     */
+     if (strchr(decr_part.cname.name_string.val[0], '.') != NULL) 
+        goto bad_ticket;
+
     /* Verify that decr_part.key is of right type */
     switch (decr_part.key.keytype) {
     case ETYPE_DES_CBC_CRC: