[pve-devel] applied: [PATCH access-control 1/3] ticket: properly verify exactly 5min old tickets

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jun 19 12:01:05 CEST 2019


On 6/19/19 11:46 AM, Fabian Grünbichler wrote:
> to fix an issue where valid tickets could be rejected 5 minutes after a
> key rotation, where the minimum age is exactly 0 seconds.
> 
> thanks Dominik for triaging!
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     note: this should probably be applied to master and stable-5
> 
>  PVE/AccessControl.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 5de060d..fff2df2 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -283,7 +283,7 @@ sub verify_ticket {
>  	return undef if !$rsa_pub;
>  
>  	my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
> -	return undef if !$min;
> +	return undef if !defined($min);
>  
>  	return PVE::Ticket::verify_rsa_ticket(
>  	    $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
> 

applied all three patches, thanks!





More information about the pve-devel mailing list