[pve-devel] [PATCH access-control 2/2] fix #1499: check ACL path validity
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Oct 10 16:09:52 CEST 2017
On 10/10/2017 03:58 PM, Philip Abernethy wrote:
> On Tue, Oct 10, 2017 at 03:53:45PM +0200, Thomas Lamprecht wrote:
>> On 10/10/2017 03:44 PM, Philip Abernethy wrote:
>>> Checks ACL paths for logical validity before application. Checks of
>>> the various IDs are done by the existing format checkers to avoid code
>>> duplication.
>>> Also introduces a distinction between malformed (syntactically
>>> incorrect) and invalid (syntactically correct, but contextually wrong)
>>> paths.
>>
>> Just for the record, this fixes 1500 not 1499:
>> https://bugzilla.proxmox.com/show_bug.cgi?id=1500
>>
>> 1500 is intended for the backend check (i.e., this fix) where 1499
>> was opened for the frontend UI.
>
> Oops, true. I can submit a v2 if desired. However this probably fixes
> both bugs, as the resulting exception is displayed on the WebUI and CLI
> as well.
I'd only do so if other comments arise regarding the changes, else this
could be fixed up on applying.
To some extend, it fixes both. But for 1499 it had a usability improvement
in mind. There the user does not directly sees the options for possible
object paths. As you see in the RFE description I made proposals/wishes
about how it could be handled - but as its located in pve-manager and
would be ExtJS I separated it into two bugs, as for the one not used to
ExtJS (if that can be achieved at all) 1500 is much easier than 1499 -
and as it enforces valid paths in the API it's arguably the more important
fix.
>>
>> Thanks for tackling this, though!
>>
>>> ---
>>> PVE/API2/ACL.pm | 4 +++-
>>> PVE/AccessControl.pm | 13 +++++++++++++
>>> 2 files changed, 16 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
>>> index d37771b..20d3d2a 100644
>>> --- a/PVE/API2/ACL.pm
>>> +++ b/PVE/API2/ACL.pm
>>> @@ -132,7 +132,9 @@ __PACKAGE__->register_method ({
>>> }
>>>
>>> my $path = PVE::AccessControl::normalize_path($param->{path});
>>> - raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
>>> + raise_param_exc({ path => "malformed ACL path '$param->{path}'" }) if !$path;
>>> + raise_param_exc({ path => "invalid ACL path '$param->{path}'" })
>>> + if !PVE::AccessControl::validate_path($path);
>>>
>>> PVE::AccessControl::lock_user_config(
>>> sub {
>>> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
>>> index f0fb7dc..183bf21 100644
>>> --- a/PVE/AccessControl.pm
>>> +++ b/PVE/AccessControl.pm
>>> @@ -591,6 +591,19 @@ sub verify_privname {
>>> return $priv;
>>> }
>>>
>>> +sub validate_path {
>>> + my $path = shift;
>>> + return 0 if $path !~ m'^/(vms|nodes|storage|pool|access/(?:groups|realms))(?:/([[:alnum:]\.\-\_]+))?$';
>>> +
>>> + if ($1 eq 'vms') {PVE::JSONSchema::pve_verify_vmid($2) if $2;}
>>> + elsif ($1 eq 'nodes') {PVE::JSONSchema::pve_verify_node_name($2) if $2;}
>>> + elsif ($1 eq 'storage') {PVE::JSONSchema::parse_storage_id($2) if $2;}
>>> + elsif ($1 eq 'pool') {verify_poolname($2) if $2;}
>>> + elsif ($1 eq 'access/realms') {PVE::Auth::Plugin::pve_verify_realm($2) if $2;}
>>> +
>>> + return 1;
>>> +}
>>> +
>>> sub userconfig_force_defaults {
>>> my ($cfg) = @_;
>>>
>>>
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list