From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id EEB521FF17E for ; Thu, 2 Oct 2025 09:57:34 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 73FCE8F0D; Thu, 2 Oct 2025 09:57:42 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Thu, 2 Oct 2025 09:57:06 +0200 Message-ID: <20251002075706.20324-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1759391805429 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.058 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [lib.rs] Subject: [pbs-devel] [PATCH proxmox v3] login: use `ticket` if both it and `ticket_info` are provided X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" previously the precense of `ticket_info` was assumed to indicate the HTTPOnly authentication flow. the `ticket` field was ignore in that case, because the client has no way of validating a ticket anyway. this commit changes the behaviour to assume that the server is not trying to "trick us" and that the presence of a `ticket` field indicates that this value should be used for authentication. if the `ticket_info` field is also present, it will be ignored. this fixes an issue where authentication against later versions of proxmox-backup-server 3.4 failed. including versions up to and including version 3.4.6-1. Signed-off-by: Shannon Sterz --- changes since v2, thanks @ Christian Ebner * also prefer the ticket field in `SecondFactorChallenge::response_bytes()` changes since v1: * rebase on current master proxmox-login/src/lib.rs | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/proxmox-login/src/lib.rs b/proxmox-login/src/lib.rs index 4482f2e4..4b2869a7 100644 --- a/proxmox-login/src/lib.rs +++ b/proxmox-login/src/lib.rs @@ -198,22 +198,24 @@ impl Login { )); } - // `ticket_info` is set when the server sets the ticket via an HttpOnly cookie. this also - // means we do not have access to the cookie itself which happens for example in a browser. - // assume that the cookie is handled properly by the context (browser) and don't worry - // about handling it ourselves. - if let Some(ref ticket) = response.ticket_info { - let ticket = ticket.parse()?; - return Ok(TicketResult::HttpOnly( - self.authentication_for(ticket, response)?, - )); - } - // old authentication flow where we needed to handle the ticket ourselves even in the // browser etc. let ticket: TicketResponse = match response.ticket { Some(ref ticket) => ticket.parse()?, - None => return Err("no ticket information in response".into()), + None => { + // `ticket_info` is set when the server sets the ticket via a HttpOnly cookie. this + // also means we do not have access to the cookie itself which happens for example + // in a browser. assume that the cookie is handled properly by the context + // (browser) and don't worry about handling it ourselves. + if let Some(ref ticket) = response.ticket_info { + let ticket = ticket.parse()?; + return Ok(TicketResult::HttpOnly( + self.authentication_for(ticket, response)?, + )); + } + + return Err("no ticket information in response".into()); + } }; Ok(match ticket { @@ -384,15 +386,15 @@ impl SecondFactorChallenge { // get the ticket from: // 1. the cookie if possible -> new HttpOnly authentication outside of the browser - // 2. just the `ticket_info` -> new HttpOnly authentication inside a browser context or - // similar, assume the ticket is handle by that - // 3. the `ticket` field -> old authentication flow where we handle the ticket ourselves + // 2. the `ticket` field -> old authentication flow where we handle the ticket ourselves + // 3. if there is no `ticket` field, check if we have a `ticket_info` field -> new HttpOnly + // authentication inside of a browser (or similar context) that handles the ticket for us let ticket: Ticket = cookie_ticket .ok_or(ResponseError::from("no ticket in response")) .or_else(|e| { response - .ticket_info - .or(response.ticket) + .ticket + .or(response.ticket_info) .ok_or(e) .and_then(|t| t.parse().map_err(|e: TicketError| e.into())) })?; -- 2.47.3 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel