[pmg-devel] [PATCH pmg-api] utils: verify_username: allow quarantine logins again
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Feb 27 10:55:45 CET 2025
Am 27.02.25 um 10:49 schrieb Stoiko Ivanov:
> verify_username is used in many places to split into realms (the part
> after the last '@') and usernames (everthing before).
>
> The commit disallowing '@' in usernames broke quarantine login
> (users login with `localpart at domainname.com@quarantine`)
>
we actually allow @ in PVE/PBS and just use the last occurring @ as separator
for the realm, maybe better to go that route here to for consistency, or
what do we win?
> Fixes: 9665bbc ("utils: user schema: explicitly forbid @ in user-names")
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> tested minimally with my local setup (and with Dominik's GUI patches)
>
> src/PMG/API2/Users.pm | 2 ++
> src/PMG/Utils.pm | 2 +-
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/PMG/API2/Users.pm b/src/PMG/API2/Users.pm
> index 132783d..9cbcfd1 100644
> --- a/src/PMG/API2/Users.pm
> +++ b/src/PMG/API2/Users.pm
> @@ -126,6 +126,8 @@ __PACKAGE__->register_method ({
> my ($userid, $username, $realm) = PMG::Utils::verify_username($entry->{userid});
> die "invalid realm '$realm' in userid\n" if !PMG::Auth::Plugin::is_valid_realm($realm);
>
> + die "'@' forbidden in username\n" if $username =~/@/;;
> +
> if ($entry->{realm}) {
> die "realm parameter does not fit userid ('$entry->{realm}' != '$realm')\n"
> if $entry->{realm} ne $realm;
> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> index 70e8317..3e7adbb 100644
> --- a/src/PMG/Utils.pm
> +++ b/src/PMG/Utils.pm
> @@ -49,7 +49,7 @@ postgres_admin_cmd
> try_decode_utf8
> );
>
> -my $user_regex = qr![^\s:@/]+!;
> +my $user_regex = qr![^\s:/]+!;
>
> PVE::JSONSchema::register_standard_option('pmg-starttime', {
> description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",
More information about the pmg-devel
mailing list