[pve-devel] [PATCH common] fix #5034 ldap attribute regex

Wed Nov 15 14:28:01 CET 2023

On 15.11.23 13:23, Markus Frank wrote:
> Change regex from "m/^[a-zA-Z0-9]+$/" to "m/^[a-zA-Z0-9\-]+$/"
> to allow hyphen in ldap attribute names for pve & pmg.
> 
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> There does not seem to be a regex for LDAP attributes in pbs.
> Should a regex be added for this?
> 

we recently moved away from using regex for validating a LDAP
configuration, for two reasons:

1. turns out finding a regex that validates all possible valid LDAP DNs
   is pretty hard and fixing this often comes along with breaking older
   setups
2. even a valid *looking* DN may not actual work against a real LDAP
   server.

so instead we now actually try to query an LDAP server with the provided
config and see if that returns anything. thus, users are more likely to
get what they want, and we don't have to validate for every possible case.

i guess there could be an argument why a regex here makes sense.
however, i'd imagine it's a little odd for users that we are stricter
here than we are with DNs.

>  src/PVE/JSONSchema.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
> index 49e0d7a..ef58b62 100644
> --- a/src/PVE/JSONSchema.pm
> +++ b/src/PVE/JSONSchema.pm
> @@ -408,7 +408,7 @@ PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr);
>  sub verify_ldap_simple_attr {
>      my ($attr, $noerr) = @_;
>  
> -    if ($attr =~ m/^[a-zA-Z0-9]+$/) {
> +    if ($attr =~ m/^[a-zA-Z0-9\-]+$/) {

if i'm not mistaken, this regex should try to filter an `AttributeValue`
[1]. in case we do stick with this regex approach here, you may want to
relax this even further, as per the standard:

>  If that UTF-8-encoded Unicode string does not have any of the
>  following characters that need escaping, then that string can be used
>  as the string representation
>  of the value.
>
>      - a space (' ' U+0020) or number sign ('#' U+0023) occurring at
>        the beginning of the string;
>
>      - a space (' ' U+0020) character occurring at the end of the
>        string;
>
>      - one of the characters '"', '+', ',', ';', '<', '>',  or '\'
>        (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C,
>        respectively);
>
>      - the null (U+0000) character.
>
>   Other characters may be escaped.

>  	return $attr;
>      }
>  