[pmg-devel] [PATCH pmg-api] Registration: Restrict special characters in usernames when creating a new user

[Fabian Grünbichler]

On March 28, 2023 11:33 am, Moayad Almalat wrote:
> From: Moayad Almalat <m.almalat at .proxmox.com>
> 
> Signed-off-by: Moayad Almalat <m.almalat at proxmox.com>
> ---
>  src/PMG/Utils.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> index 6405934..41b47c7 100644
> --- a/src/PMG/Utils.pm
> +++ b/src/PMG/Utils.pm
> @@ -92,7 +92,7 @@ sub verify_username {
>      # slash is not allowed because it is used as pve API delimiter
>      # also see "man useradd"
>      my $realm_list = join('|', @$valid_pmg_realms);
> -    if ($username =~ m!^([^\s:/]+)\@(${realm_list})$!) {
> +    if ($username =~ m!^([A-Za-z0-9_\-.]+)\@(${realm_list})$!) {
>  	return wantarray ? ($username, $1, $2) : $username;
>      }

this doesn't only restrict the allowed characters when registering, but also for
all existing users, including logging in..

probably adding \0 to the list of forbidden characters is sane, anything else
requires careful checks and maybe fixing in other places rather than here (or at
least, be post-poned to a major release so that people can fix up their config
beforehand).

see the PVE bug for a similar issue: https://bugzilla.proxmox.com/show_bug.cgi?id=4461