[pmg-devel] [PATCH pmg-api v2] utils: user schema: explicitly forbid @ in user-names

[pmg-devel] [PATCH pmg-api v2] utils: user schema: explicitly forbid @ in user-names

[Stoiko Ivanov]

PMGs terms are:
* 'userid' consists of 'username'@'realm'

without this patch it was possible to create a user through the api,
with @ in the username ('foo@bar@pmg'), and it got written to the
user-conf.
Reading that entry was not possible, as the verification on read was
stricter.

This patch forbids '@' in usernames, and additionally drops the
maxLength of 64, as 60 are already enforced by the regex pattern match
(leaving 4 as minimal length for '@pmg'/'@pam').

Potential for regression should be minimal (the users could not be
read-back from the config).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
minimally tested on top of latest master
- 128 character username
- a@a@pmg
both failing
- 60 character username@pmg - succeeds
 src/PMG/Utils.pm | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index c187f93..70e8317 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -49,7 +49,7 @@ postgres_admin_cmd
 try_decode_utf8
 );
 
-my $user_regex = qr![^\s:/]+!;
+my $user_regex = qr![^\s:@/]+!;
 
 PVE::JSONSchema::register_standard_option('pmg-starttime', {
     description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",
@@ -103,7 +103,6 @@ PVE::JSONSchema::register_standard_option('username', {
     description => "Username (without realm)",
     type => 'string',
     pattern => '[^\s:\/\@]{1,60}',
-    maxLength => 64,
 });
 
 PVE::JSONSchema::register_standard_option('pmg-email-address', {
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] applied: [PATCH pmg-api v2] utils: user schema: explicitly forbid @ in user-names

[Thomas Lamprecht]

Am 26.02.25 um 21:58 schrieb Stoiko Ivanov:
> PMGs terms are:
> * 'userid' consists of 'username'@'realm'
> 
> without this patch it was possible to create a user through the api,
> with @ in the username ('foo@bar@pmg'), and it got written to the
> user-conf.
> Reading that entry was not possible, as the verification on read was
> stricter.
> 
> This patch forbids '@' in usernames, and additionally drops the
> maxLength of 64, as 60 are already enforced by the regex pattern match
> (leaving 4 as minimal length for '@pmg'/'@pam').
> 
> Potential for regression should be minimal (the users could not be
> read-back from the config).
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> minimally tested on top of latest master
> - 128 character username
> - a@a@pmg
> both failing
> - 60 character username@pmg - succeeds
>  src/PMG/Utils.pm | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
>

applied, thanks!


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel