Subversion 1.5 SASL doesn't work correctly with Kerberos cross-realm authentication

First off, Subversion's code is lovely to read.

The subject pretty much says it all. The SASL support in
Subversion 1.5 blindly removes realm specifiers from the user's
authentication.

There's a seatbelt early in cyrus_auth.c which protects against
security problems associated with removing the realm as described
by this comment:

      /* The only valid realm is user_realm (i.e. the repository's realm).
             If the user gave us another realm, complain. */

Later, at the end of cyrus_auth_request() the realm is yanked off
of the authenticated user, which creates the potential security
issue that the seatbelt in cyrus_auth.c is protecting against:

      if ((p = strchr(user, '@')) != NULL)
        /* Drop the realm part. */
        b->user = apr_pstrndup(b->pool, user, p - (char *)user);
      else

I guess I'd propose changing the default behavior to allow
cross-realm and strip the realm part off in cyrus_auth_request()
if-and-only-if it matches the configured "user_realm". I'd like to
see a flag to disable the stripping of the realm entirely, as
people with lots of cross-realm will almost certainly prefer that.

(And while I'm commenting, has no one looked into logging in
svnserve since 2005? It's kinda a big thing to be missing, at
least among the paranoid.)

-- 
Oracle Confidential Information        
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956