libcli:security: allow spaces after BAD:

In AD_DS_Classes_Windows_Server_v1903.ldf from
https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see

  defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224

(cherry picked from commit 8903876f65d5721d30186875d391889d1ddcd52c)

Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Jul 29 13:17:42 UTC 2024 on atb-devel-224

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index e14b2748384210561973b56eb23e31f4b1bfbb5d..899db18d651631a10fab866b54952b4069baa423 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -560,6 +560,11 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
                return acl;
        }
 
+       /* Windows AD allows spaces here */
+       while (*sddl == ' ') {
+               sddl++;
+       }
+
        /* work out the ACL flags */
        if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
                talloc_free(acl);

diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index ac719eb3212a4e9988e16e00b6b1f57b6bb64a6d..4aa9a04ec87a1dae647588face10115dc5d3248a 100644 (file)
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -623,6 +623,11 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
           ("O:LAG:BAD:(A;;CCDCLCSWRPWPDTLOCR;;;WD)"))),
 
         ("D:(A;;FAGX;;;SY)", "D:(A;;0x201f01ff;;;SY)"),
+        # whitespace before ACL string flags is ignored.
+        ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
+        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
+        ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
+        ("D: S:","D:S:"),
     ]
 
 
@@ -761,17 +766,12 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
     strings = [
         # whitespace is ignored, repaired on return
         ("D:(A;;GA;;; LG)", "D:(A;;GA;;;LG)"),
-        ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
-        # whitespace before ACL string flags is ignored.
-        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
         # wrong case on type is ignored, fixed
         ("D:(a;;GA;;;LG)", "D:(A;;GA;;;LG)"),
         ("D:(A;;GA;;;lg)", "D:(A;;GA;;;LG)"),
         ("D:(A;;ga;;;LG)", "D:(A;;GA;;;LG)"),
-        ("D: S:","D:S:"),
 
         # whitespace around ACL flags
-        ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
         ("D:P (A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
 
         # whitespace between ACES