From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 328271FF136
	for <inbox@lore.proxmox.com>; Mon, 23 Feb 2026 08:54:50 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id DB22D20C5;
	Mon, 23 Feb 2026 08:55:44 +0100 (CET)
Message-ID: <0aa3aa61-b92c-41b1-a982-a4c0a7a989fa@proxmox.com>
Date: Mon, 23 Feb 2026 08:55:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH backup v2 1/3] fix #7054: client: remove trailing newlines
 from credentials
To: Maximiliano Sandoval <m.sandoval@proxmox.com>, pbs-devel@lists.proxmox.com
References: <20260220123818.365489-1-m.sandoval@proxmox.com>
 <20260220123818.365489-2-m.sandoval@proxmox.com>
Content-Language: en-US, de-DE
From: Christian Ebner <c.ebner@proxmox.com>
In-Reply-To: <20260220123818.365489-2-m.sandoval@proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1771833326531
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -1.020 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.798 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED   0.79 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.547 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: J3LUZN6EE3L6YF5EHULAVOJ6XF25BCQM
X-Message-ID-Hash: J3LUZN6EE3L6YF5EHULAVOJ6XF25BCQM
X-MailFrom: c.ebner@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

On 2/20/26 1:38 PM, Maximiliano Sandoval wrote:
> For repositories and fingerprints we simply strip trailing whitespaces.

This should explicitly state that this is done for improved usability.

> For passwords, we refer to the password regex at proxmox-schema:
> `^[[:^cntrl:]]*$`, we can only strip trailing control characters without
> potentially breaking existing passwords.

This is however not what the patch does, it only strips trailing 
newlines from the password blob, leaving other control characters in 
place to be matched by the schema's regex.

> The encryption password is just a blob of bytes handled locally by the
> client, we cannot remove trailing whitespace here without potential
> breakage. Creation of such passwords (via
> proxmox_sys::tty::read_and_verify_password) only verifies valid utf-8
> and len >= 5.
> 
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
>   pbs-client/src/tools/mod.rs | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/pbs-client/src/tools/mod.rs b/pbs-client/src/tools/mod.rs
> index 7a496d14c..f28d9f32f 100644
> --- a/pbs-client/src/tools/mod.rs
> +++ b/pbs-client/src/tools/mod.rs
> @@ -168,7 +168,17 @@ fn get_secret_impl(env_variable: &str, credential_name: &str) -> Result<Option<S
>       if let Some(password) = get_secret_from_env(env_variable)? {
>           Ok(Some(password))
>       } else if let Some(password) = get_credential(credential_name)? {
> -        String::from_utf8(password)
> +        str::from_utf8(&password)
> +            .map(|s| {
> +                if matches!(credential_name, CRED_PBS_REPOSITORY | CRED_PBS_FINGERPRINT) {
> +                    s.trim_end()
> +                } else if credential_name == CRED_PBS_PASSWORD {
> +                    s.trim_end_matches('\n')
> +                } else {
> +                    s
> +                }
> +            })
> +            .map(ToOwned::to_owned)
>               .map(Option::Some)
>               .map_err(|_err| format_err!("credential {credential_name} is not utf8 encoded"))
>       } else {