[pmg-devel] [PATCH pmg-api 3/4] utils: user schema: explicitly forbid @ in user-names

[Stoiko Ivanov]

PMGs terms are:
* 'userid' consists of 'username'@'realm'

without this patch it was possible to create a user through the api,
with @ in the username ('foo at bar@pmg'), and it got written to the
user-conf.
Reading that entry was not possible, as the verification on read was
stricter.

This patch forbids '@' in usernames, and additionally drops the
maxLength of 64, as 60 are already enforced by the regex pattern match
(leaving 4 as minimal length for '@pmg'/'@pam').

Potential for regression should be minimal (the users could not be
read-back from the config).

Reported-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PMG/Utils.pm | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index 9a50de2..7e4b70b 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -50,7 +50,7 @@ postgres_admin_cmd
 try_decode_utf8
 );
 
-my $user_regex = qr![^\s:/]+!;
+my $user_regex = qr![^\s:@/]+!;
 
 sub valid_pmg_realm_regex {
     my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
@@ -110,7 +110,6 @@ PVE::JSONSchema::register_standard_option('username', {
     description => "Username (without realm)",
     type => 'string',
     pattern => '[^\s:\/\@]{1,60}',
-    maxLength => 64,
 });
 
 PVE::JSONSchema::register_standard_option('pmg-email-address', {
-- 
2.39.5