Set include_realm=1 default in parse_hba_line

With include_realm=1 being set down in parse_hba_auth_opt, if multiple
options are passed on the pg_hba line, such as:

host all     all    0.0.0.0/0    gss include_realm=0 krb_realm=XYZ.COM

We would mistakenly reset include_realm back to 1.  Instead, we need to
set include_realm=1 up in parse_hba_line, prior to parsing any of the
additional options.

Discovered by Jeff McCormick during testing.

Bug introduced by 9a08841.

Back-patch to 9.5

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 23c8b5de6b448650e6d8c5b7c38a198bb2ab2f99..94f7cfa84ccfaa72c339ce6b9c8fe4034a5ada8e 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1274,6 +1274,19 @@ parse_hba_line(List *line, int line_num, char *raw_line)
                return NULL;
        }
 
+       /*
+        * For GSS and SSPI, set the default value of include_realm to true.
+        * Having include_realm set to false is dangerous in multi-realm
+        * situations and is generally considered bad practice.  We keep the
+        * capability around for backwards compatibility, but we might want to
+        * remove it at some point in the future.  Users who still need to strip
+        * the realm off would be better served by using an appropriate regex in a
+        * pg_ident.conf mapping.
+        */
+       if (parsedline->auth_method == uaGSS ||
+               parsedline->auth_method == uaSSPI)
+               parsedline->include_realm = true;
+
        /* Parse remaining arguments */
        while ((field = lnext(field)) != NULL)
        {
@@ -1376,19 +1389,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
        hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
 #endif
 
-       /*
-        * For GSS and SSPI, set the default value of include_realm to true.
-        * Having include_realm set to false is dangerous in multi-realm
-        * situations and is generally considered bad practice.  We keep the
-        * capability around for backwards compatibility, but we might want to
-        * remove it at some point in the future.  Users who still need to strip
-        * the realm off would be better served by using an appropriate regex in a
-        * pg_ident.conf mapping.
-        */
-       if (hbaline->auth_method == uaGSS ||
-               hbaline->auth_method == uaSSPI)
-               hbaline->include_realm = true;
-
        if (strcmp(name, "map") == 0)
        {
                if (hbaline->auth_method != uaIdent &&