libcli:security: allow spaces after BAD:

In AD_DS_Classes_Windows_Server_v1903.ldf from
https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see

  defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index d1f770752385b79495f77eb86da4a06a24110940..c0fddb72e5f0b41b34b32107e1f3db1ca7d47032 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -814,6 +814,11 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
                return acl;
        }
 
+       /* Windows AD allows spaces here */
+       while (*sddl == ' ') {
+               sddl++;
+       }
+
        /* work out the ACL flags */
        if (!sddl_map_flags(acl_flags, sddl, flags, &len, true)) {
                *msg = talloc_strdup(sd, "bad ACL flags");

diff --git a/python/samba/tests/sddl.py b/python/samba/tests/sddl.py
index b594021013a80460fccbb250e5ed2267522821e0..6d4448233e37d296a0fa392abf384a845db9b4ed 100644 (file)
--- a/python/samba/tests/sddl.py
+++ b/python/samba/tests/sddl.py
@@ -670,6 +670,11 @@ class SddlNonCanonical(SddlDecodeEncodeBase):
           ("O:LAG:BAD:(A;;CCDCLCSWRPWPDTLOCR;;;WD)"))),
 
         ("D:(A;;FAGX;;;SY)", "D:(A;;0x201f01ff;;;SY)"),
+        # whitespace before ACL string flags is ignored.
+        ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
+        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
+        ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
+        ("D: S:","D:S:"),
     ]
 
 
@@ -818,17 +823,12 @@ class SddlWindowsIsLessFussy(SddlDecodeEncodeBase):
     strings = [
         # whitespace is ignored, repaired on return
         ("D:(A;;GA;;; LG)", "D:(A;;GA;;;LG)"),
-        ("D: (A;;GA;;;LG)", "D:(A;;GA;;;LG)"),
-        # whitespace before ACL string flags is ignored.
-        ("D: AI(A;;GA;;;LG)", "D:AI(A;;GA;;;LG)"),
         # wrong case on type is ignored, fixed
         ("D:(a;;GA;;;LG)", "D:(A;;GA;;;LG)"),
         ("D:(A;;GA;;;lg)", "D:(A;;GA;;;LG)"),
         ("D:(A;;ga;;;LG)", "D:(A;;GA;;;LG)"),
-        ("D: S:","D:S:"),
 
         # whitespace around ACL flags
-        ("D: P(A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
         ("D:P (A;;GA;;;LG)", "D:P(A;;GA;;;LG)"),
 
         # whitespace between ACES