[pve-devel] [PATCH access-control 1/3] ticket: properly verify exactly 5min old tickets

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jun 19 11:46:17 CEST 2019


to fix an issue where valid tickets could be rejected 5 minutes after a
key rotation, where the minimum age is exactly 0 seconds.

thanks Dominik for triaging!

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    note: this should probably be applied to master and stable-5

 PVE/AccessControl.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 5de060d..fff2df2 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -283,7 +283,7 @@ sub verify_ticket {
 	return undef if !$rsa_pub;
 
 	my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
-	return undef if !$min;
+	return undef if !defined($min);
 
 	return PVE::Ticket::verify_rsa_ticket(
 	    $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
-- 
2.20.1





More information about the pve-devel mailing list