From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 25 Nov 2016 18:04:22 +1000
Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions

Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.

Look backwards from end of string for the final ':', so that the ACL
parses correctly.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
 
             acl = new ACL(resource, rights, resACLs);
 
+            // search *backwards* for final instance of ':', to handle case
+            // where acl expressions contain colon, e.g. in a group name.
             String stx = st.substring(idx2 + 1);
-            int idx3 = stx.indexOf(":");
+            int idx3 = stx.lastIndexOf(":");
             String aclStr = stx.substring(0, idx3);
 
             // getting list of acl entries
-- 
2.7.4