[pve-devel] [PATCH access-control] openid: fix groups-claim regex

[pve-devel] [PATCH access-control] openid: fix groups-claim regex

[Mira Limbeck]

The previous regex matched exactly that combination of characters,
rather than any combination of the specified ones.

Fixes: e80f840 ("openid: make groups-claim RE more restrictive")
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
 src/PVE/Auth/OpenId.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 4e496f0..92d75b7 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -10,7 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file
 use base qw(PVE::Auth::Plugin);
 
 # FIXME: restrict username-claim as well?
-my $openid_claim_regex = qr/A-Za-z0-9\.\-_/;
+my $openid_claim_regex = qr/[A-Za-z0-9\.\-_]+/;
 
 sub type {
     return 'openid';
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH access-control] openid: fix groups-claim regex

[Thomas Lamprecht]

On Tue, 08 Apr 2025 13:33:49 +0200, Mira Limbeck wrote:
> The previous regex matched exactly that combination of characters,
> rather than any combination of the specified ones.
> 
> 

Applied, thanks!

[1/1] openid: fix groups-claim regex
      commit: 55ab21ecfcd090ef7d364be39bdbb740391138a4


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel