[pmg-devel] [PATCH pmg-api master v1] pmgproxy: fix matching against potentially uninitialized value $ticket

Max R. Carrara m.carrara at proxmox.com
Mon Sep 22 15:39:17 CEST 2025


`$ticket` here is undef if a non-empty `Cookie` header is included in
the request, but `PMGAuthCookie` isn't actually set.
`extract_auth_value()` returns undef, because the match fails.

Therefore, check for definedness before matching on `$ticket`.

Additional Context:
Ran into this during testing; as it didn't appear for all VMs, I
figured that some of the VMs' IP addresses belonged to other VMs
previously. After digging a little in the Firefox dev tools, it turned
out that `PVEAuthCookie` is actually sent as well, confirming my
suspicion.

Can easily be reproduced via:
`curl -k -H 'Cookie: Foo=bar' https://$HOSTNAME:8006/`

Signed-off-by: Max R. Carrara <m.carrara at proxmox.com>
---
 src/PMG/Service/pmgproxy.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/PMG/Service/pmgproxy.pm b/src/PMG/Service/pmgproxy.pm
index c92a3f3..de7a6c5 100644
--- a/src/PMG/Service/pmgproxy.pm
+++ b/src/PMG/Service/pmgproxy.pm
@@ -226,10 +226,12 @@ sub get_index {
 
         my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $server->{cookie_name});
 
-        if ($ticket =~ m/^PMGQUAR:/) {
-            $username = PMG::Ticket::verify_quarantine_ticket($ticket, 1);
-        } else {
-            $username = PMG::Ticket::verify_ticket($ticket, undef, 1);
+        if (defined($ticket)) {
+            if ($ticket =~ m/^PMGQUAR:/) {
+                $username = PMG::Ticket::verify_quarantine_ticket($ticket, 1);
+            } else {
+                $username = PMG::Ticket::verify_ticket($ticket, undef, 1);
+            }
         }
     } else {
         if (defined($args->{ticket})) {
-- 
2.47.3





More information about the pmg-devel mailing list