From 0628780abe61e7e50cba48cdafb1837f49ff23b2 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Mon, 24 Feb 2014 15:56:45 +1100
Subject:    - djm@cvs.openbsd.org 2014/02/22 01:32:19      [readconf.c]     
 when processing Match blocks, skip 'exec' clauses if previous predicates     
 failed to match; ok markus@

---
 ChangeLog  |  7 ++++---
 readconf.c | 31 +++++++++++++++++++++----------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3da503b4..a5cb0648 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,9 +8,10 @@
      [channels.c]
      avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
      bz#2200, debian#738692 via Colin Watson; ok dtucker@
-
-20140221
- - (tim) [configure.ac]  Fix cut-and-paste error. Patch from Bryan Drewery.
+   - djm@cvs.openbsd.org 2014/02/22 01:32:19
+     [readconf.c]
+     when processing Match blocks, skip 'exec' clauses if previous predicates
+     failed to match; ok markus@
 
 20140213
  - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]  Add compat
diff --git a/readconf.c b/readconf.c
index f80d1ccb..94e64590 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.216 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.217 2014/02/22 01:32:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -537,16 +537,27 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 			    "r", ruser,
 			    "u", pw->pw_name,
 			    (char *)NULL);
-			r = execute_in_shell(cmd);
-			if (r == -1) {
-				fatal("%.200s line %d: match exec '%.100s' "
-				    "error", filename, linenum, cmd);
-			} else if (r == 0) {
-				debug("%.200s line %d: matched "
-				    "'exec \"%.100s\"' ",
+			if (result != 1) {
+				/* skip execution if prior predicate failed */
+				debug("%.200s line %d: skipped exec \"%.100s\"",
 				    filename, linenum, cmd);
-			} else
-				result = 0;
+			} else {
+				r = execute_in_shell(cmd);
+				if (r == -1) {
+					fatal("%.200s line %d: match exec "
+					    "'%.100s' error", filename,
+					    linenum, cmd);
+				} else if (r == 0) {
+					debug("%.200s line %d: matched "
+					    "'exec \"%.100s\"'", filename,
+					    linenum, cmd);
+				} else {
+					debug("%.200s line %d: no match "
+					    "'exec \"%.100s\"'", filename,
+					    linenum, cmd);
+					result = 0;
+				}
+			}
 			free(cmd);
 		} else {
 			error("Unsupported Match attribute %s", attrib);
-- 
cgit v1.2.3