[pve-devel] [PATCH pve-access-control] fix #5190: access-control: openid acr format regex

Gabriel Goller g.goller at proxmox.com
Tue Feb 6 11:11:01 CET 2024


Restrict the acr-value regex a little bit so as to align the behavior
with PBS. The openid documentation says that the acr-value *should* be
an URI [0]. Added a regex that loosely disallows some of the reserved URI
characters specified in the RFC [1].

Values like:
 * "urn:mace:incommon:iap:silver"
 * "urn:comsolve.nl:idp:contract:rba:location"
SHOULD work, but values like:
 * "urn:#ace:incommon:iap:silver"
 * "urn:"omsolve.nl:idp:contract:rba:location"
should NOT work.

[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt

Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
 src/PVE/Auth/OpenId.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 56904e6..c8e4db9 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -59,7 +59,8 @@ sub properties {
 	'acr-values' => {
 	    description => "Specifies the Authentication Context Class Reference values that the"
 		."Authorization Server is being requested to use for the Auth Request.",
-	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+	    type => 'string',
+	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
 	    optional => 1,
 	},
    };
-- 
2.43.0





More information about the pve-devel mailing list