[pmg-devel] [PATCH pmg-api 3/4] utils: user schema: explicitly forbid @ in user-names
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Feb 26 21:18:57 CET 2025
Am 26.02.25 um 20:17 schrieb Stoiko Ivanov:
> PMGs terms are:
> * 'userid' consists of 'username'@'realm'
>
> without this patch it was possible to create a user through the api,
> with @ in the username ('foo at bar@pmg'), and it got written to the
> user-conf.
> Reading that entry was not possible, as the verification on read was
> stricter.
>
> This patch forbids '@' in usernames, and additionally drops the
> maxLength of 64, as 60 are already enforced by the regex pattern match
> (leaving 4 as minimal length for '@pmg'/'@pam').
>
> Potential for regression should be minimal (the users could not be
> read-back from the config).
>
> Reported-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> src/PMG/Utils.pm | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> index 9a50de2..7e4b70b 100644
> --- a/src/PMG/Utils.pm
> +++ b/src/PMG/Utils.pm
> @@ -50,7 +50,7 @@ postgres_admin_cmd
> try_decode_utf8
> );
>
> -my $user_regex = qr![^\s:/]+!;
> +my $user_regex = qr![^\s:@/]+!;
>
> sub valid_pmg_realm_regex {
> my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
context is now outdated so this needs rebasing
> @@ -110,7 +110,6 @@ PVE::JSONSchema::register_standard_option('username', {
> description => "Username (without realm)",
> type => 'string',
> pattern => '[^\s:\/\@]{1,60}',
> - maxLength => 64,
> });
>
> PVE::JSONSchema::register_standard_option('pmg-email-address', {
More information about the pmg-devel
mailing list